What is the CVSS score of CVE-2025-11715?

CVE-2025-11715 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Thunderbird are affected by CVE-2025-11715?

Memory corruption vulnerability (CVE-2025-11715) in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3 allows remote arbitrary code execution when users open malicious web…. A patch is available.

How to fix or mitigate CVE-2025-11715?

Within 24 hours: Identify all Firefox and Thunderbird installations via asset inventory and notify users of mandatory updates. Within 7 days: Deploy Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4 via patch management systems; verify deployment completion for 100% of client base. Within 30 days: Audit logs for evidence of exploitation attempts; review email gateway filters and web content policies to restrict suspicious attachments and advise users on phishing awareness.

Thunderbird CVE-2025-11715

HIGH

Buffer Overflow (CWE-119)

2025-10-14 security@mozilla.org

RCE Buffer Overflow Red Hat Mozilla Thunderbird Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 15:43 vuln.today

DescriptionNVD

Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

AnalysisAI

Memory corruption in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3 enables remote arbitrary code execution when users interact with malicious content. Exploitation requires user interaction (opening crafted web content or email), but no authentication is needed. Mozilla issued patches in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. With CVSS 8.8 and EPSS data unavailable, the vulnerability represents critical risk to unpatched installations. No public exploit identified at time of analysis, though Mozilla's acknowledgment of memory corruption evidence suggests exploitation is technically feasible.

Technical ContextAI

This vulnerability stems from CWE-119 (Improper Restriction of Operations within Bounds of Memory Buffer), encompassing multiple memory safety bugs in Mozilla's Gecko rendering engine shared by Firefox and Thunderbird. The affected products span both regular release channels (Firefox 143, Thunderbird 143) and Extended Support Release (ESR) branches (Firefox ESR 140.3, Thunderbird ESR 140.3) as identified by CPE strings. Memory safety bugs in browser engines typically involve use-after-free conditions, buffer overflows, or type confusion vulnerabilities in JavaScript JIT compilation, DOM manipulation, or media codec handling. Mozilla's Bugzilla references seven distinct bug IDs (1983838, 1987624, 1988244, 1988912, 1989734, 1990085, 1991899), indicating this CVE aggregates multiple related memory corruption issues rather than a single flaw. The presence of memory corruption evidence suggests these bugs could corrupt heap or stack memory structures, potentially enabling control flow hijacking.

RemediationAI

Vendor-released patches are available: upgrade Firefox regular release to version 144 or later, Firefox ESR installations to version 140.4 or later, Thunderbird regular release to version 144 or later, and Thunderbird ESR installations to version 140.4 or later. Download patches from Mozilla's official release channels or apply updates through your operating system's package manager. Debian LTS users should follow guidance at https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html and https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html for distribution-specific patched packages. Mozilla security advisories with complete fix details are at https://www.mozilla.org/security/advisories/mfsa2025-81/, mfsa2025-83/, mfsa2025-84/, and mfsa2025-85/. No effective workaround exists beyond avoiding untrusted web content and email attachments, which is operationally impractical; patching is the only reliable mitigation.