CVE-2025-11710

CRITICAL
2025-10-14 [email protected]
Mozilla Information Disclosure Thunderbird Redhat Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:43 vuln.today

DescriptionNVD

A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

AnalysisAI

Information disclosure in Mozilla Firefox and Thunderbird allows unauthenticated remote attackers to extract privileged browser process memory via malicious IPC messages from a compromised web content process. Affects Firefox <144, Firefox ESR <115.29 and <140.4, and Thunderbird <144 and <140.4. CVSS 9.8 indicates network-exploitable with no auth required, though actual exploitation requires first compromising a web content process. Vendor-released patches available (Firefox 144, Firefox ESR 115.29/140.4, Thunderbird 144/140.4). No public exploit identified at time of analysis; EPSS data not provided.

Technical ContextAI

This vulnerability (CWE-200: Information Exposure) exploits Mozilla's multi-process architecture, where web content runs in sandboxed child processes that communicate with the privileged parent browser process via Inter-Process Communication (IPC). The affected products (per CPE data: Mozilla Firefox standard and ESR branches, Mozilla Thunderbird) use Gecko engine's IPC framework to enforce security boundaries between untrusted web content and browser privileges. The flaw allows a compromised web content process-already executing attacker code due to a separate vulnerability-to craft malicious IPC messages that trick the parent process into disclosing chunks of its own memory. This breaks the sandbox containment model, exposing potentially sensitive data like passwords, cookies, encryption keys, or browsing history stored in parent process memory. The root cause classification as CWE-200 indicates improper validation of IPC message parameters, allowing out-of-bounds or unauthorized memory reads in the privileged context.

RemediationAI

Immediately upgrade to patched versions: Firefox 144 or later for standard release users, Firefox ESR 115.29 or Firefox ESR 140.4 for organizations on extended support channels, Thunderbird 144 or Thunderbird 140.4 depending on release track. Mozilla security advisories (https://www.mozilla.org/security/advisories/mfsa2025-81/ through mfsa2025-85/) provide release-specific guidance. For Debian-based Linux distributions, apply security updates referenced in Debian LTS announcements (https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html and msg00031.html). No workarounds exist for this IPC-layer vulnerability; patching is the only effective mitigation. Enterprises using Firefox ESR should verify they are tracking the appropriate ESR branch (115.x or 140.x) and apply the corresponding .29 or .4 update. Verify patch application by checking About Firefox/Thunderbird version numbers post-update.

Vendor StatusVendor

Share

CVE-2025-11710 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy