Description
Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
Published: 2025-09-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution potential through memory corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves memory safety bugs in Mozilla Firefox ESR 140.2, Firefox 142, Thunderbird ESR 140.2, and Thunderbird 142 that can corrupt memory boundaries. When exploited, these bugs could allow an attacker to execute arbitrary code, compromising confidentiality, integrity, and availability of the affected system. The weakness is identified as a bounds‑checking failure.

Affected Systems

All systems running the affected versions of Mozilla Firefox and Thunderbird— including the ESR 140.2 family and the mainstream 142 releases— are potentially impacted. Red Hat Enterprise Linux 9 and 10 are listed as platforms that may run these browsers, but the core issue resides in the browser software itself. The fixes are delivered in Firefox 143 and ESR 140.3, as well as Thunderbird 143 and ESR 140.3.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high‑severity flaw, while the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Although the attack vector is not explicitly defined in the description, it is inferred that an attacker would need to supply crafted content or exploit a browser feature that triggers the memory corruption, potentially through local or remote means. The available data do not indicate a publicly available exploit, but the high severity warrants prompt mitigation.

Generated by OpenCVE AI on April 20, 2026 at 19:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to at least version 143 or ESR 140.3, and upgrade Mozilla Thunderbird to at least version 143 or ESR 140.3 on all hosts that use these browsers.
  • Configure the browsers to run in a sandboxed process model and disable or restrict extensions, plug‑ins, and other add‑ons that can inject arbitrary code, thereby reducing the attack surface.
  • Apply all relevant operating‑system security patches— for example, install the latest Red Hat Enterprise Linux 9 or 10 updates—and consider enforcing mandatory access control policies such as SELinux in enforcing mode to limit the impact of a memory corruption flaw.
  • Monitor logs and network traffic for indications of malicious content that might trigger a memory corruption, and set up alerts to detect potential exploitation attempts.

Generated by OpenCVE AI on April 20, 2026 at 19:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4305-1 firefox-esr security update
Debian DLA Debian DLA DLA-4311-1 thunderbird security update
Debian DSA Debian DSA DSA-6003-1 firefox-esr security update
Debian DSA Debian DSA DSA-6011-1 thunderbird security update
EUVD EUVD EUVD-2025-29557 Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3. Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143 Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

Mon, 22 Sep 2025 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 18 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 17 Sep 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 16 Sep 2025 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Sep 2025 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143 and Firefox ESR < 140.3. Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143, Firefox ESR < 140.3, Thunderbird < 143, and Thunderbird < 140.3.
References

Tue, 16 Sep 2025 12:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 143 and Firefox ESR < 140.3.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:25.818Z

Reserved: 2025-09-16T06:48:52.559Z

Link: CVE-2025-10537

cve-icon Vulnrichment

Updated: 2025-11-03T18:08:38.494Z

cve-icon NVD

Status : Modified

Published: 2025-09-16T13:15:49.433

Modified: 2026-04-13T15:16:37.560

Link: CVE-2025-10537

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-16T12:26:37Z

Links: CVE-2025-10537 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:45:15Z

Weaknesses