CVE-2025-11715
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Description
Memory safety bugs present in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.
Analysis
Memory corruption in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird ESR 140.3 enables remote arbitrary code execution when users interact with malicious content. Exploitation requires user interaction (opening crafted web content or email), but no authentication is needed. Mozilla issued patches in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. With CVSS 8.8 and EPSS data unavailable, the vulnerability represents critical risk to unpatched installations. No public exploit identified at time of analysis, though Mozilla's acknowledgment of memory corruption evidence suggests exploitation is technically feasible.
Technical Context
This vulnerability stems from CWE-119 (Improper Restriction of Operations within Bounds of Memory Buffer), encompassing multiple memory safety bugs in Mozilla's Gecko rendering engine shared by Firefox and Thunderbird. The affected products span both regular release channels (Firefox 143, Thunderbird 143) and Extended Support Release (ESR) branches (Firefox ESR 140.3, Thunderbird ESR 140.3) as identified by CPE strings. Memory safety bugs in browser engines typically involve use-after-free conditions, buffer overflows, or type confusion vulnerabilities in JavaScript JIT compilation, DOM manipulation, or media codec handling. Mozilla's Bugzilla references seven distinct bug IDs (1983838, 1987624, 1988244, 1988912, 1989734, 1990085, 1991899), indicating this CVE aggregates multiple related memory corruption issues rather than a single flaw. The presence of memory corruption evidence suggests these bugs could corrupt heap or stack memory structures, potentially enabling control flow hijacking.
Affected Products
Mozilla Firefox version 143 and all versions in the ESR 140 branch through 140.3 (cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* and cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*). Mozilla Thunderbird version 143 and all versions in the ESR 140 branch through 140.3 (cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* and cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*). Debian LTS distributions incorporating vulnerable Firefox and Thunderbird versions are also affected per advisories at lists.debian.org. Vendor security advisories are available at https://www.mozilla.org/security/advisories/mfsa2025-81/ (Firefox 144), https://www.mozilla.org/security/advisories/mfsa2025-83/ (Firefox ESR 140.4), https://www.mozilla.org/security/advisories/mfsa2025-84/ (Thunderbird 144), and https://www.mozilla.org/security/advisories/mfsa2025-85/ (Thunderbird ESR 140.4).
Remediation
Vendor-released patches are available: upgrade Firefox regular release to version 144 or later, Firefox ESR installations to version 140.4 or later, Thunderbird regular release to version 144 or later, and Thunderbird ESR installations to version 140.4 or later. Download patches from Mozilla's official release channels or apply updates through your operating system's package manager. Debian LTS users should follow guidance at https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html and https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html for distribution-specific patched packages. Mozilla security advisories with complete fix details are at https://www.mozilla.org/security/advisories/mfsa2025-81/, mfsa2025-83/, mfsa2025-84/, and mfsa2025-85/. No effective workaround exists beyond avoiding untrusted web content and email attachments, which is operationally impractical; patching is the only reliable mitigation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today