Description
When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Published: 2025-01-07
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Crash via memory corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is triggered when JavaScript processes specially crafted text during segmentation, causing memory corruption that may result in a crash, potentially exploitable. The flaw is a classic buffer overread/write (CWE-119) that can lead to a use-after-free condition (CWE-401).

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected, including all builds prior to Firefox 134 (and ESR 128.6) and Thunderbird 134 (and ESR 128.6). These versions run on various Linux distributions, including Red Hat Enterprise Linux derivatives as noted by the associated CPEs.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity while the EPSS score of less than 1% suggests a low probability of exploitation in the short term. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through malicious or maliciously crafted web content or local files that trigger the vulnerable text segmentation routine; the exact vector is inferred from the description of memory corruption during text processing.

Generated by OpenCVE AI on April 21, 2026 at 22:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 134 or ESR 128.6, and upgrade Thunderbird to version 134 or ESR 128.6.
  • In environments where an upgrade is delayed, enforce script execution restrictions or disable the JavaScript text segmentation feature if the application provides such configuration control, and monitor user activity for anomalous crashes.
  • Apply OS and dependency patches from the vendor or distribution to ensure all related libraries are up to date, reducing the window for exploitation.
  • For custom or third‑party modules that process text in JavaScript, audit the code for bounds checking and use‑after‑free, and refactor to use safe string handling practices (CWE-119, CWE-401 mitigation).

Generated by OpenCVE AI on April 21, 2026 at 22:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4011-1 firefox-esr security update
Debian DLA Debian DLA DLA-4012-1 thunderbird security update
Debian DSA Debian DSA DSA-5839-1 firefox-esr security update
Debian DSA Debian DSA DSA-5841-1 thunderbird security update
EUVD EUVD EUVD-2025-1573 When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.
Ubuntu USN Ubuntu USN USN-7191-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6. When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Thunderbird 134, and Thunderbird 128.6.
Title firefox: Memory corruption when using JavaScript Text Segmentation Memory corruption when using JavaScript Text Segmentation

Mon, 03 Nov 2025 23:30:00 +0000

Type Values Removed Values Added
References

Thu, 03 Apr 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 13 Feb 2025 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6

Thu, 30 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-401
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Mon, 13 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Description When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6. When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird < 128.6.

Thu, 09 Jan 2025 14:00:00 +0000

Type Values Removed Values Added
Title firefox: Memory corruption when using JavaScript Text Segmentation
First Time appeared Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
Weaknesses CWE-119
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_eus:9.2
cpe:/a:redhat:rhel_tus:8.4
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat
Redhat enterprise Linux
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Tus
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Thu, 09 Jan 2025 08:45:00 +0000

Type Values Removed Values Added
Description When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6. When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Thunderbird < 134, and Thunderbird ESR < 128.6.
References

Tue, 07 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Description When segmenting specially crafted text, segmentation would corrupt memory leading to a potentially exploitable crash. This vulnerability affects Firefox < 134 and Firefox ESR < 128.6.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:08.648Z

Reserved: 2025-01-06T14:49:09.192Z

Link: CVE-2025-0241

cve-icon Vulnrichment

Updated: 2025-11-03T22:33:42.156Z

cve-icon NVD

Status : Modified

Published: 2025-01-07T16:15:38.767

Modified: 2026-04-13T15:16:32.930

Link: CVE-2025-0241

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-01-07T16:07:06Z

Links: CVE-2025-0241 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses