Description
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
Published: 2025-09-16
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape enabling remote code execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free vulnerability in Mozilla’s Canvas2D graphics component permits the sandbox to be bypassed, potentially allowing attackers to execute code outside the browser or email client’s restricted environment. This flaw is an example of CWE‑416, i.e., memory safety errors that can lead to arbitrary code execution once an attacker is able to control the freed memory region. The impact includes the possibility of full system compromise if the sandbox escape is leveraged, as privileges granted to the browser process can be abused.

Affected Systems

The breach affects Mozilla products, specifically Firefox versions prior to 143 (and ESR 140.3) and Thunderbird versions prior to 143 (and ESR 140.3). Host operating systems listed in the CPEs include Red Hat Enterprise Linux 9 and 10, but the vulnerability resides solely in the application layer of the browser and mail client.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‐severity risk, yet the EPSS score of <1% suggests a very low probability of exploitation in the wild so far. The vulnerability is not currently catalogued in CISA’s KEV list. Attackers would need to supply malicious content that exercises the broken Canvas2D logic, implying that the vector is likely a remote web page or phishing email that includes canvas elements. Under the current threat landscape, responsible parties should prepare to mitigate the risk promptly due to the critical nature of sandbox escape flaws.

Generated by OpenCVE AI on April 20, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 143 or newer (or ESR 140.3+), which contains the Canvas2D memory safety fix.
  • Update Thunderbird to version 143 or newer (or ESR 140.3+), which includes the same patch.
  • If a patch cannot be applied immediately, disable Canvas rendering for untrusted content by configuring the browser policy or about:config settings that prevent canvas element usage in web pages and email messages.

Generated by OpenCVE AI on April 20, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4305-1 firefox-esr security update
Debian DLA Debian DLA DLA-4311-1 thunderbird security update
Debian DSA Debian DSA DSA-6003-1 firefox-esr security update
Debian DSA Debian DSA DSA-6011-1 thunderbird security update
EUVD EUVD EUVD-2025-29562 This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Title firefox: thunderbird: Sandbox escape due to use-after-free in the Graphics: Canvas2D component Sandbox escape due to use-after-free in the Graphics: Canvas2D component

Fri, 19 Sep 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Thu, 18 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Sandbox escape due to use-after-free in the Graphics: Canvas2D component
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 16 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 16 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:08.186Z

Reserved: 2025-09-16T06:48:33.808Z

Link: CVE-2025-10527

cve-icon Vulnrichment

Updated: 2025-11-03T18:08:27.952Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:44.457

Modified: 2026-04-13T15:16:35.760

Link: CVE-2025-10527

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-16T12:26:35Z

Links: CVE-2025-10527 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:00:11Z

Weaknesses