CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
AnalysisAI
Remote code execution in Mozilla Firefox (ESR 128.12, 140.0, Firefox 140) and Thunderbird (ESR 128.12, 140.0, Thunderbird 140) allows unauthenticated remote attackers to execute arbitrary code via memory corruption vulnerabilities classified as buffer overflow (CWE-119). User interaction is required. Mozilla has released patches for all affected products (Firefox 141, ESR 128.13, ESR 140.1, Thunderbird 141, 128.13, 140.1). No public exploit identified at time of analysis, though CVSS score of 8.8 reflects high severity with complete compromise potential.
Technical ContextAI
This vulnerability stems from CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), commonly known as buffer overflow. The affected products are Mozilla's core browser and email platforms: Firefox ESR (Extended Support Release) branches 128.x and 140.x, standard Firefox 140, and corresponding Thunderbird versions. Memory safety bugs in browser engines are particularly dangerous because they affect the core rendering and JavaScript execution components. These bugs can corrupt heap or stack memory, enabling control-flow hijacking. Buffer overflow exploitation in modern browsers requires bypassing multiple exploit mitigations (ASLR, DEP, CFI), but Mozilla's acknowledgment that these bugs 'could have been exploited to run arbitrary code' indicates the underlying memory corruption was severe enough to potentially overcome these defenses. The CPE strings confirm impact across both standard and ESR release channels for both Firefox and Thunderbird, affecting organizations using long-term support versions.
RemediationAI
Vendor-released patches are available for all affected products. Upgrade Firefox ESR 128.x to version 128.13 or later, Firefox ESR 140.x to version 140.1 or later, and Firefox standard release to version 141 or later. For Thunderbird users, upgrade Thunderbird ESR 128.x to version 128.13 or later, Thunderbird ESR 140.x to version 140.1 or later, and Thunderbird standard release to version 141 or later. Organizations should prioritize ESR channel updates as these versions are typically deployed in enterprise environments with delayed patching cycles. Detailed upgrade instructions and release notes are available in the Mozilla Security Advisories at https://www.mozilla.org/security/advisories/mfsa2025-56/ through MFSA2025-63. No effective workarounds exist short of discontinuing use of vulnerable versions, as the memory corruption bugs are triggered during normal browser/email client operations. Debian users should also consult debian-lts-announce mailing list for distribution-specific patching guidance.
Share
External POC / Exploit Code
Leaving vuln.today