EUVD-2025-19098CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140 and Thunderbird < 140.
Analysis
CVE-2025-6436 is a collection of memory safety vulnerabilities in Firefox and Thunderbird versions 139 that demonstrate evidence of memory corruption with potential for arbitrary code execution. The vulnerability affects Firefox < 140 and Thunderbird < 140, and requires network access but moderate attack complexity. While no active exploitation in the wild has been confirmed, the high CVSS score of 8.1 and memory corruption evidence indicate this is a critical patch requiring immediate deployment.
Technical Context
This vulnerability stems from CWE-119 (Buffer Errors), a memory safety class affecting unsafe memory operations in C/C++ codebases. Firefox and Thunderbird are built on the Gecko rendering engine, which handles complex parsing of web content, HTML, JavaScript, and email attachments. The 'memory safety bugs' classification indicates multiple distinct buffer overflow, out-of-bounds access, or use-after-free conditions were discovered during version 139 development. The root cause reflects the inherent challenges in memory management within large-scale browser engines processing untrusted input from diverse sources (web pages, email, plugins). These bugs were identified and patched before version 140 release.
Affected Products
Firefox versions < 140 (including 139 and all earlier releases); Thunderbird versions < 140 (including 139 and all earlier releases). CPE strings would follow: cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:* (versions <140) and cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* (versions <140). Both products share the Gecko engine, explaining the parallel vulnerability. Desktop and mobile Firefox variants (if applicable) are affected. Users on automatic update systems may already be protected if Firefox/Thunderbird 140+ has been deployed.
Remediation
Immediate action: Update Firefox to version 140 or later and Thunderbird to version 140 or later. Users should enable automatic updates if not already configured (default for most installations). Mozilla's security advisory for this CVE (referenced in the description) provides specific version information. No workarounds mitigate memory corruption vulnerabilities; patching is mandatory. Organizations should prioritize deployment of Firefox 140+ and Thunderbird 140+ patches across all systems. Verify patch deployment through version checking in about:firefox and about:support dialogs. For enterprise environments, consider mandatory update policies via GPO (Windows) or MDM solutions.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| jammy | not-affected | code not present |
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | needs-triage | - |
| questing | not-affected | code not present |
| Release | Status | Version |
|---|---|---|
| noble | not-affected | code not present |
| oracular | not-affected | code not present |
| plucky | not-affected | code not present |
| upstream | released | 140 |
| questing | not-affected | code not present |
| jammy | released | 1:140.7.1+build1-0ubuntu0.22.04.1 |
| Release | Status | Version |
|---|---|---|
| bionic | needs-triage | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | - |
| focal | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| focal | ignored | - |
| jammy | DNE | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | DNE | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | ignored | - |
| noble | ignored | - |
| oracular | DNE | - |
| plucky | DNE | - |
| upstream | needs-triage | - |
| questing | DNE | - |
| Release | Status | Version |
|---|---|---|
| jammy | DNE | - |
| noble | ignored | - |
| oracular | ignored | - |
| plucky | ignored | - |
| upstream | needs-triage | - |
| questing | DNE | - |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| sid | fixed | 148.0.2-1 | - |
| (unstable) | fixed | 140.0-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today