VIR Vulnerability Intelligence Relay

CVE-2019-9793

critical
Published — · Modified —
CVSS v3
CVSS v2
VIR risk
9.5

Description

A mechanism was discovered that removes some bounds checking for string, array, or typed array accesses if Spectre mitigations have been disabled. This vulnerability could allow an attacker to create an arbitrary value in compiled JavaScript, for which the range analysis will infer a fully controlled, incorrect range in circumstances where users have explicitly disabled Spectre mitigations. *Note: Spectre mitigations are currently enabled for all users by default settings.*. This vulnerability affects Thunderbird < 60.6, Firefox ESR < 60.6, and Firefox < 66.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-9793

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2019-9793.html

vendor Authored 2026-05-27

Vendor advisory: arch — https://security.archlinux.org/ASA-201903-11

OS impact
OSVersionStatusFixed in
arch archfixed66.0-1
suse slesaffected
debian debiansidfixed66.0-1
debian debianbookwormfixed60.6.0esr-1
debian debianbullseyefixed60.6.0esr-1
debian debianforkyfixed60.6.0esr-1
debian debiantrixiefixed60.6.0esr-1

References

Verify integrity in audit chain (admin only). AS-IS.