CVE-2025-11721
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Description
Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144.
Analysis
Remote code execution in Mozilla Firefox 143 and Thunderbird 143 allows unauthenticated network attackers to execute arbitrary code via memory corruption. The vulnerability stems from a memory safety bug (CWE-119 buffer overflow) exploitable without user interaction. CVSS score of 9.8 reflects critical severity with network-based attack vector, low complexity, and no privileges required. Vendor-released patches are available in Firefox 144 and Thunderbird 144. No public exploit identified at time of analysis, though Mozilla's assessment indicates the memory corruption is presumed exploitable with sufficient effort.
Technical Context
This vulnerability represents a memory safety issue classified as CWE-119 (improper restriction on operations within memory buffer bounds), commonly manifesting as buffer overflows, out-of-bounds reads/writes, or use-after-free conditions. Memory corruption bugs in browser engines are particularly severe because they affect core rendering or JavaScript execution components that process untrusted web content. The affected products are Mozilla Firefox (cpe:2.3:a:mozilla:firefox) and Thunderbird (cpe:2.3:a:mozilla:thunderbird), both at version 143. Firefox is a web browser while Thunderbird is an email client that shares significant portions of Mozilla's Gecko rendering engine codebase. Memory safety bugs in shared components can expose both applications to similar attack surfaces. The technical evidence showing memory corruption combined with the network-accessible attack vector indicates the vulnerability likely exists in a content parsing or rendering component that processes data from remote sources without adequate bounds checking.
Affected Products
Mozilla Firefox version 143 and Mozilla Thunderbird version 143 are confirmed vulnerable based on CPE identifiers cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* and cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*. The vulnerability affects both the standalone browser application and the email client, which share underlying Gecko engine components. Mozilla security advisories MFSA2025-81 (https://www.mozilla.org/security/advisories/mfsa2025-81/) and MFSA2025-84 (https://www.mozilla.org/security/advisories/mfsa2025-84/) provide official vendor confirmation and technical details. The bug is tracked in Mozilla's Bugzilla as bug 1986816 (https://bugzilla.mozilla.org/show_bug.cgi?id=1986816), though detailed technical information may be restricted until widespread patch adoption occurs.
Remediation
Vendor-released patch: Upgrade to Firefox 144 or later for Firefox installations, and Thunderbird 144 or later for Thunderbird installations. Both versions contain the complete fix for this memory safety vulnerability. Organizations should deploy these updates through standard browser update mechanisms, with Firefox ESR users consulting Mozilla's extended support release channels for equivalent patched versions. Users on automatic update channels will receive patches through normal update processes. Consult Mozilla Security Advisory MFSA2025-81 for Firefox-specific guidance (https://www.mozilla.org/security/advisories/mfsa2025-81/) and MFSA2025-84 for Thunderbird details (https://www.mozilla.org/security/advisories/mfsa2025-84/). No effective workarounds exist for memory corruption vulnerabilities of this nature beyond upgrading to patched versions. Network-level filtering cannot mitigate browser-level memory safety issues that trigger during normal content rendering.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today