CVE-2025-11714
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Description
Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
Analysis
Memory corruption vulnerabilities in Mozilla Firefox and Thunderbird allow remote code execution when users interact with malicious web content. Affects Firefox ESR 115.28 and below, Firefox ESR 140.3 and below, Firefox 143 and below, Thunderbird 143 and below, and Thunderbird ESR 140.3 and below. Mozilla confirmed memory safety bugs with evidence of memory corruption presumed exploitable for arbitrary code execution. Vendor-released patches available: Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4. CVSS 8.8 severity driven by network attack vector with low complexity requiring only user interaction, no authentication required. No public exploit identified at time of analysis, though multiple internal bug reports suggest coordinated fix effort.
Technical Context
This vulnerability represents a class of memory safety bugs (CWE-119: Improper Restriction of Operations within Memory Buffers) affecting Mozilla's browser engine components shared between Firefox and Thunderbird. Memory safety bugs typically arise from unsafe memory operations in C/C++ code-buffer overflows, use-after-free conditions, or out-of-bounds access-within core rendering, JavaScript engine, or DOM processing components. The CPE strings identify affected products across both Firefox mainline and ESR (Extended Support Release) branches, as well as Thunderbird email client which shares Firefox's Gecko rendering engine. Mozilla's advisory references five distinct Bugzilla entries (1973699, 1989945, 1990970, 1991040, 1992113), suggesting multiple independent memory corruption issues fixed in this security release. The presence of memory corruption evidence indicates these bugs could potentially be chained or individually leveraged to achieve arbitrary code execution within the browser sandbox, though Mozilla's cautious language ('presume that with enough effort') suggests exploitation is non-trivial but plausible.
Affected Products
Mozilla Firefox ESR versions up to and including 115.28 and up to and including 140.3, Firefox mainline versions up to and including 143, Thunderbird versions up to and including 143, and Thunderbird ESR versions up to and including 140.3 are all vulnerable. The CPE identifiers confirm impact across both Firefox standard and Extended Support Release branches (cpe:2.3:a:mozilla:firefox with ESR and standard designations) and Thunderbird email client (cpe:2.3:a:mozilla:thunderbird). Debian Linux distributions shipping these browsers are also affected per downstream security announcements. Vendor advisories are available at mozilla.org/security/advisories/ with identifiers MFSA2025-81 through MFSA2025-85 covering the different product branches.
Remediation
Immediately upgrade to patched versions: Firefox ESR 115.29, Firefox ESR 140.4, Firefox 144, Thunderbird 144, or Thunderbird 140.4 depending on your deployment branch. Firefox ESR users on the 115.x track should update to 115.29; ESR users on 140.x track should update to 140.4; Firefox mainline users should update to version 144 or later. Thunderbird users should upgrade to version 144 (mainline) or 140.4 (ESR). Mozilla's automatic update mechanism will deliver these patches to most users, but enterprise deployments with managed updates should prioritize immediate rollout. Detailed remediation guidance is available in Mozilla Foundation Security Advisories MFSA2025-81 (https://www.mozilla.org/security/advisories/mfsa2025-81/), MFSA2025-82, MFSA2025-83, MFSA2025-84, and MFSA2025-85. Debian users should follow distribution-specific updates via debian-lts-announce channels. No effective workarounds exist short of disabling JavaScript or avoiding untrusted web content, which is impractical for normal browser usage.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today