CVE-2025-11719

CRITICAL
2025-10-14 [email protected]
Memory Corruption Use After Free Buffer Overflow Mozilla Microsoft Thunderbird Redhat Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:44 vuln.today

DescriptionNVD

Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

AnalysisAI

Use-after-free memory corruption in Mozilla Thunderbird 143+ and Firefox allows remote code execution via malicious web extensions exploiting the native messaging API on Windows. CVSS 9.8 (critical) with network-based attack vector requiring no user interaction or authentication. Patched in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, but CVSS metrics indicate high exploitability (AV:N/AC:L/PR:N/UI:N) with complete impact to confidentiality, integrity, and availability.

Technical ContextAI

This vulnerability stems from CWE-416 (Use After Free), a memory safety issue where code attempts to access memory after it has been freed. The flaw resides in the native messaging API implementation used by web extensions on Windows platforms in Mozilla products. Native messaging allows web extensions to communicate with native applications outside the browser sandbox. The use-after-free occurs when extensions interact with this API, causing the browser to reference deallocated memory. This creates exploitable memory corruption that can be leveraged for arbitrary code execution. The vulnerability affects both Firefox and Thunderbird starting from version 143, indicating a shared codebase component. CPE identifiers confirm impact to cpe:2.3:a:mozilla:firefox and cpe:2.3:a:mozilla:thunderbird across all distribution channels on Windows systems.

RemediationAI

Update immediately to Firefox 144 or later and Thunderbird 144 or later to resolve this use-after-free vulnerability. Mozilla has released patches that address the memory corruption in the native messaging API implementation. Firefox users should navigate to Settings > General > Firefox Updates to check for and install version 144. Thunderbird users should check Settings > General > Updates for version 144. Organizations using managed deployments should prioritize distribution of these updates to Windows endpoints. No workarounds are available that maintain full web extension functionality, but organizations with strict security requirements could temporarily disable web extensions or restrict extension installations to trusted sources only until patching is complete. Review installed extensions and remove any untrusted or unnecessary extensions as a defense-in-depth measure. Full technical details and patch information are available in Mozilla Security Advisories MFSA2025-81 (https://www.mozilla.org/security/advisories/mfsa2025-81/) and MFSA2025-84 (https://www.mozilla.org/security/advisories/mfsa2025-84/). The upstream bug tracking this issue is documented at https://bugzilla.mozilla.org/show_bug.cgi?id=1991950.

Vendor StatusVendor

Share

CVE-2025-11719 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy