CVE-2025-0242 - Vulnerability Details

- Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6

Description

Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Firefox ESR 115.19, Thunderbird 134, and Thunderbird 128.6.

Published: 2025-01-07

Score: 6.5 Medium

EPSS: 2.4% Low

KEV: No

Impact:

Action:

Analysis

Impact

Memory safety bugs in Mozilla Firefox and Thunderbird lead to memory corruption that could be leveraged to execute arbitrary code. The underlying weaknesses are identified as buffer overflows (CWE‑120) and out‑of‑bounds writes (CWE‑787). If successfully exploited, the attacker could take full control of the affected application, compromising confidentiality, integrity, and availability of the system.

Affected Systems

Mozilla Firefox versions 133 and earlier, including ESR releases 115.18 and 128.5, and Mozilla Thunderbird versions 133 and earlier, including ESR releases 115.18 and 128.5, are affected. The vulnerability is resolved in Firefox 134, ESR 115.19/128.6, Thunderbird 134, and ESR 115.19/128.6.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the medium severity range, while an EPSS score of 2% indicates a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly documented in the provided description; based on the nature of the memory corruption it is inferred that an attacker would need to supply crafted data or execute code in a local or privileged context to trigger the defect. Achieving the exploit would require significant effort and detailed knowledge of the affected browser internals.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.19`	unaffected	≤ 115.*
`128.6`	unaffected	≤ 128.*
`134`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`128.6`	unaffected	≤ 128.*
`134`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.6.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:0132	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.6.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0144	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:0281	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:128.6.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:0133	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:0286	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:128.6.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:0134	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:0287	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:128.6.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:0134	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:0287	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:128.6.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:0134	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:0287	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.6.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:0136	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:0275	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
firefox-0:128.6.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:0136	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:0275	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.6.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:0136	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:0275	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:128.6.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:0137	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:0284	2025-01-13T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.6.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:0080	2025-01-08T00:00:00Z
thunderbird-0:128.6.0-3.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:0147	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.6.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:0162	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:0165	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.6.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:0138	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:0167	2025-01-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
firefox-0:128.6.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:0135	2025-01-09T00:00:00Z
thunderbird-0:128.6.0-3.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:0166	2025-01-09T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Firefox 134 or later, or to ESR 115.19/128.6 if using an ESR release.
Upgrade to Thunderbird 134 or later, or to ESR 115.19/128.6 if using an ESR release.
For Red Hat Enterprise Linux users, update Mozilla packages from the official RHEL repositories to the patched releases available for RHEL 8.x and RHEL 9.x distributions.

Generated by OpenCVE AI on April 21, 2026 at 22:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4011-1	firefox-esr security update
Debian DLA	DLA-4012-1	thunderbird security update
Debian DSA	DSA-5839-1	firefox-esr security update
Debian DSA	DSA-5841-1	thunderbird security update
EUVD	EUVD-2025-1574	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6.
Ubuntu USN	USN-7191-1	Firefox vulnerabilities
Ubuntu USN	USN-7663-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02414.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1874523%2C1926454%2C1931873%2C1932169
https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html
https://nvd.nist.gov/vuln/detail/CVE-2025-0242
https://www.cve.org/CVERecord?id=CVE-2025-0242
https://www.mozilla.org/security/advisories/mfsa2025-01/
https://www.mozilla.org/security/advisories/mfsa2025-02/
https://www.mozilla.org/security/advisories/mfsa2025-03/
https://www.mozilla.org/security/advisories/mfsa2025-04/
https://www.mozilla.org/security/advisories/mfsa2025-05/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6.	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 134, Firefox ESR 128.6, Firefox ESR 115.19, Thunderbird 134, and Thunderbird 128.6.
Title	firefox: thunderbird: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6	Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6

Mon, 03 Nov 2025 23:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/01/msg00004.html

Thu, 03 Apr 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Thu, 13 Feb 2025 01:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.6

Mon, 13 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird ESR < 128.6.	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird < 128.6.

Thu, 09 Jan 2025 14:00:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: Memory safety bugs fixed in Firefox 134, Thunderbird 134, Firefox ESR 115.19, Firefox ESR 128.6, Thunderbird 115.19, and Thunderbird 128.6
First Time appeared		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
Weaknesses		CWE-120
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_tus:8.4 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat Redhat enterprise Linux Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Redhat rhel Tus
References		https://nvd.nist.gov/vuln/detail/CVE-2025-0242 https://www.cve.org/CVERecord?id=CVE-2025-0242
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 09 Jan 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19.	Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, Firefox ESR < 115.19, Thunderbird < 134, and Thunderbird ESR < 128.6.
References		https://www.mozilla.org/security/advisories/mfsa2025-04/ https://www.mozilla.org/security/advisories/mfsa2025-05/

Wed, 08 Jan 2025 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-787
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bugs present in Firefox 133, Thunderbird 133, Firefox ESR 115.18, Firefox ESR 128.5, Thunderbird 115.18, and Thunderbird 128.5. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 134, Firefox ESR < 128.6, and Firefox ESR < 115.19.
References		https://bugzilla.mozilla.org/buglist.cgi?bug_id=1874523%2C1926454%2C1931873%2C1932169 https://www.mozilla.org/security/advisories/mfsa2025-01/ https://www.mozilla.org/security/advisories/mfsa2025-02/ https://www.mozilla.org/security/advisories/mfsa2025-03/

Subscriptions

Mozilla Firefox Thunderbird

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-01-07T16:07:07.093Z

Updated: 2026-04-13T14:28:55.810Z

Reserved: 2025-01-06T14:49:11.467Z

Link: CVE-2025-0242

Vulnrichment

Updated: 2025-11-03T22:33:43.653Z

NVD

Status : Modified

Published: 2025-01-07T16:15:38.860

Modified: 2026-04-13T15:16:34.257

Link: CVE-2025-0242

Redhat

Severity : Important

Publid Date: 2025-01-07T16:07:07Z

Links: CVE-2025-0242 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object