Description
Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
Published: 2025-09-16
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape that can allow code execution outside Firefox and Thunderbird
Action: Patch Immediately
AI Analysis

Impact

This flaw stems from undefined behavior and an invalid pointer in the Canvas2D component of Gecko’s Graphics subsystem. If an attacker can trigger the problematic code path—most likely by serving malicious content that draws onto a canvas—the program can escape its sandbox, potentially executing arbitrary code with the privileges of the application. The vulnerability is a classic example of unsafe memory handling as identified by CWE‑693 and CWE‑824, and it directly threatens the confidentiality, integrity, and availability of the host system.

Affected Systems

The issue affects Mozilla Firefox 143 and earlier, Firefox ESR 140.3 and earlier, Mozilla Thunderbird 143 and earlier, and Thunderbird ESR 140.3 and earlier. Hosted environments such as Red Hat Enterprise Linux 9 and 10 are also at risk if they run a vulnerable client version, because the escape occurs within the browser or mail client process.

Risk and Exploitability

With a CVSS score of 7.3 the vulnerability is classified as high severity. The EPSS score of less than 1 % indicates a low probability of being found or used in the wild at present. It is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via crafted web or email content that exercises Canvas2D; no local privilege escalation path is mentioned, so exploitation likely requires the victim to open a malicious page or message.

Generated by OpenCVE AI on April 20, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 143 or newer, or the ESR 140.3 release, to apply the official fix.
  • Update Thunderbird to version 143 or newer, or the ESR 140.3 release, to obtain the patch.

Generated by OpenCVE AI on April 20, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4305-1 firefox-esr security update
Debian DLA Debian DLA DLA-4311-1 thunderbird security update
Debian DSA Debian DSA DSA-6003-1 firefox-esr security update
Debian DSA Debian DSA DSA-6011-1 thunderbird security update
EUVD EUVD EUVD-2025-29561 This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Title firefox: thunderbird: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component

Fri, 19 Sep 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Thu, 18 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693

Thu, 18 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-824
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 16 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
References

Tue, 16 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:09.906Z

Reserved: 2025-09-16T06:48:35.863Z

Link: CVE-2025-10528

cve-icon Vulnrichment

Updated: 2025-11-03T18:08:29.851Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:45.017

Modified: 2026-04-13T15:16:35.970

Link: CVE-2025-10528

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-16T12:26:35Z

Links: CVE-2025-10528 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:00:11Z

Weaknesses