Description
Incorrect boundary conditions in the JavaScript: GC component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
Published: 2025-09-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Mozilla’s JavaScript garbage collector contains an incorrect boundary check that can cause an out‑of‑bounds read (CWE‑125) or buffer under‑read (CWE‑754). An attacker who can cause the garbage collector to process crafted data may trigger a crash in the rendering or email process, leading to a denial of service and potential loss of availability for the affected user. The vulnerability does not enable code execution or data disclosure, but the stability impact of a crash is significant for the application’s user experience.

Affected Systems

The flaw affects Mozilla Firefox and Thunderbird, impacting all releases up to but not including Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3. Systems running any prior versions remain vulnerable while those on the specified or newer updates are safe.

Risk and Exploitability

The CVSS score of 6.5 marks this as moderate severity. The EPSS score of less than 1 % indicates a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require the attacker to inject malicious JavaScript that the client machine processes, so the attack vector is reasonably limited to local or remote contexts where the user can run arbitrary script. Because no remote code execution component is present, the risk to confidentiality or integrity is low, but the availability impact warrants timely remediation.

Generated by OpenCVE AI on April 20, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 143 or newer (or Firefox ESR 140.3 or newer) and to Thunderbird 143 or newer (or Thunderbird ESR 140.3 or newer) to receive the corrected garbage collector;
  • If an upgrade cannot be performed immediately, consider disabling or limiting JavaScript execution in the affected applications as a temporary mitigation, keeping in mind that this may affect normal functionality.
  • Stay informed of further security notices from Mozilla and apply subsequent patches promptly once they are released.

Generated by OpenCVE AI on April 20, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4305-1 firefox-esr security update
Debian DLA Debian DLA DLA-4311-1 thunderbird security update
Debian DSA Debian DSA DSA-6003-1 firefox-esr security update
Debian DSA Debian DSA DSA-6011-1 thunderbird security update
EUVD EUVD EUVD-2025-29559 This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the JavaScript: GC component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Incorrect boundary conditions in the JavaScript: GC component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Incorrect boundary conditions in the JavaScript: GC component. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Title firefox: thunderbird: Incorrect boundary conditions in the JavaScript: GC component Incorrect boundary conditions in the JavaScript: GC component

Fri, 19 Sep 2025 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Thu, 18 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Incorrect boundary conditions in the JavaScript: GC component
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-125
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 17 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 16 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
References

Tue, 16 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:17.996Z

Reserved: 2025-09-16T06:48:42.913Z

Link: CVE-2025-10532

cve-icon Vulnrichment

Updated: 2025-11-03T18:08:33.712Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:47.067

Modified: 2026-04-13T15:16:36.677

Link: CVE-2025-10532

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-09-16T12:26:36Z

Links: CVE-2025-10532 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:00:11Z

Weaknesses