CVE-2025-8033

MEDIUM
2025-07-22 [email protected]
Mozilla Denial Of Service Null Pointer Dereference Thunderbird Redhat Suse
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:44 vuln.today

DescriptionNVD

The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

AnalysisAI

Null pointer dereference in Firefox and Thunderbird JavaScript engines allows remote attackers to cause denial of service via malformed closed generator objects. The vulnerability affects Firefox versions below 141, Firefox ESR versions below 115.26/128.13/140.1, Thunderbird versions below 141/128.13/140.1, and is triggered when a user visits a malicious webpage or opens a crafted email containing JavaScript that improperly resumes a closed generator. While the CVSS score is 6.5 (medium-high), the impact is limited to availability-no information disclosure or code execution is possible.

Technical ContextAI

The vulnerability exists in the JavaScript engine's generator implementation, specifically in how it handles the state of closed generators. Generators in JavaScript are objects that implement the iterator protocol and can be paused and resumed. The flaw occurs when the engine attempts to resume a generator that has already been closed without properly validating its state, leading to a null pointer dereference (CWE-476). This memory safety issue in the SpiderMonkey or similar JavaScript VM allows an attacker-controlled script to trigger improper memory access, causing a crash. The affected CPE strings indicate all standard Firefox release channels and ESR (Extended Support Release) branches are impacted, as well as Thunderbird across all branches.

RemediationAI

Vendor-released patches: Firefox 141 and later, Firefox ESR 115.26 and later, Firefox ESR 128.13 and later, Firefox ESR 140.1 and later, Thunderbird 141 and later, Thunderbird 128.13 and later, and Thunderbird 140.1 and later. Users should update immediately via the browser/application auto-update mechanism or download the latest release from mozilla.org. Organizations managing enterprise Firefox or Thunderbird deployments should apply patches to all systems. No workaround is available; the vulnerability requires a patched engine. Refer to MFSA2025-56 through MFSA2025-63 for platform-specific advisories.

Vendor StatusVendor

Share

CVE-2025-8033 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy