CVE-2026-2796 is a high-severity vulnerability characterized by just-in-time (JIT) miscompilation within the JavaScript WebAssembly component of Mozilla Firefox. This vulnerability can cause incorrect code generation during JIT compilation, potentially leading to severe security impacts such as arbitrary code execution or memory corruption. The issue was reported by multiple security researchers and fixed in Firefox version 148 and Thunderbird version 148. Mozilla's official advisories (MFSA2026-13 and MFSA2026-16) provide comprehensive details and confirm that the vulnerability is resolved in these versions.

The vulnerability has a CVSS v3.1 base score of 9.8 (critical), indicating it can be exploited remotely without authentication or user interaction to cause complete compromise of confidentiality, integrity, and availability of the affected system. If exploited, attackers could execute arbitrary code or cause denial of service. However, no exploits have been observed in the wild so far. The impact is mitigated by the availability of fixed versions of Firefox and Thunderbird.

Mozilla has released official fixes for this vulnerability in Firefox 148 and Thunderbird 148. Users and administrators should update to these versions or later immediately to remediate the risk. Since this is not a cloud service, patching the client software is required. There are no vendor advisories indicating that no action is required or that the issue is already mitigated without patching. Patch status is confirmed as fixed by Mozilla's security advisories.