CVE-2026-2796

CRITICAL · 9.8 EPSS 0.0%

hype MIXED · 58 hack

Real vuln, working PoC documented, but no KEV/active exploitation confirmation yet.

What: JIT miscompilation in Firefox/Thunderbird SpiderMonkey WebAssembly component enabling memory corruption (addrof/fakeobj primitives); CVSS 9.8 CRITICAL, patched in Firefox 148 and Thunderbird 148.

Why it matters: High-severity browser JIT bug with memory safety primitives demonstrated by security researcher. Not yet KEV-listed, but CRITICAL CVSS and public technical breakdown signal real weaponization potential. Patch availability (Feb 2026) means defenders have mitigation window.

Where it's seen: Researcher educational content ("What The Claude" series) dissecting the vulnerability mechanics on Twitter/Bluesky. No evidence of in-the-wild exploitation or mass scanning yet; chatter is analyst-driven technical writeup, not incident response noise.

RISK: HIGH — CRITICAL CVSS, memory safety primitives, browser attack surface, not yet widely exploited.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/3/2026, 7:45:39 AM

AttackerKB

view on attackerkb.com →

Authlib is a Python library which builds OAuth and OpenID Connect servers. Prior to version 1.6.9, a JWK Header Injection vulnerability in authlib's JWS implementation allows an unauthenticated attacker to forge arbitrary JWT tokens that pass signature verification. When key=None is passed to any JWS deserialization function, the library extracts and uses the cryptographic key embedded in the attacker-controlled JWT jwk header field. An attacker can sign a token with their own private key, embed the matching public key in the header, and have the server accept the forged token as cryptographically valid — bypassing authentication and authorization entirely. This issue has been patched in version 1.6.9.

Public PoCs on GitHub 13 repos

nomi-sec/PoC-in-GitHub ★ 7687
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
DarkFunct/TK-CVE-Repo ★ 49 · Python
TK-CVE-Repo
hiifong/starList ★ 18 · Python
Export your star's repository list
patrickmgarrity/Anthropic-Credited-CVEs ★ 15
Tracking Vulnerabilities That Appear to be Credited to the Anthropic Research Team
R00T-Kim/Terminator ★ 5 · Python

Page 1 of 3

Articles & coverage 15 articles

CVE-2026-2796 — Type Confusion in Thunderbird+1 | dbugs
The vulnerability was identified through a process where the AI explores the codebase, identifies potential bugs, and verifies exploitability
Reverse engineering Claude's CVE-2026-2796 exploit | Pablo Navas
AI just found dozens of vulnerabilities in Firefox. Lately everyone in security circles is talking about Claude Sonnet / Opus 4.6,
CVE-2026-2796 | Vulnerability Database | Aqua Security
JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
CVE-2026-2796 (CVSS 9.8) Firefox JIT Miscompila… | PurpleOps
Key Takeaways: Claude Opus 4.6 identified 22 confirmed vulnerabilities in the Firefox codebase, including 14 high-severity bugs.
CVE-2026-2796 - Critical Vulnerability - TheHackerWire
CVE-2026-2796 is a Critical severity security vulnerability affecting Mozilla Firefox. JIT miscompilation in the JavaScript: WebAssembly

Page 1 of 3

› NVD details 1 CWE ·1 vendor · 3 refs expand

Description

JIT miscompilation in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Weaknesses

CWE-843

Vendors

mozilla

Products

firefox
thunderbird

References

Vendor advisories · 2

Other · 1

https://bugzilla.mozilla.org/show_bug.cgi?id=2013165 [Permissions Required]