CVE-2025-11714 - Vulnerability Details

- Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Description

Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Published: 2025-10-14

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Memory safety bugs in Mozilla Firefox and Thunderbird involve heap overflows (CWE‑119), out‑of‑bounds reads (CWE‑125), and out‑of‑bounds writes (CWE‑787). These flaws can corrupt memory and, given sufficient effort, allow an attacker to run arbitrary code. The likely attack vector is through crafted web content or malicious email attachments, inferred from the described memory corruption and potential arbitrary code execution.

Affected Systems

Affected products include Mozilla Firefox, namely the ESR 115.x and ESR 140.x branches and the base releases 143 and 144, and Mozilla Thunderbird, specifically the ESR 140.x branch and the base releases 143 and 144. The security fixes were deployed in Firefox 144, Firefox ESR 115.29 and 140.4, Thunderbird 144 and Thunderbird ESR 140.4. Users running earlier versions are vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 8.8 indicates high severity. The EPSS score is below 1%, suggesting a low probability of widespread exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the potential for arbitrary code execution through crafted web pages or malicious email attachments means the risk remains significant for users of unpatched browsers. The attack vector is inferred from the nature of the memory corruption rather than explicitly stated in the CVE description.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.29`	unaffected	≤ 115.*
`140.4`	unaffected	≤ 140.*
`144`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`140.4`	unaffected	≤ 140.*
`144`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—
Mozilla	Firefox Esr	—	—
Mozilla	Thunderbird	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade all Mozilla Firefox installations to version 144 or any ESR release newer than 115.29 or 140.4.
Upgrade all Mozilla Thunderbird installations to version 144 or any ESR release newer than 140.4.
Configure the operating system’s package manager to automatically install security updates for Mozilla products, or regularly check Mozilla’s security advisory pages for new releases.

Generated by OpenCVE AI on April 20, 2026 at 19:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4335-1	firefox-esr security update
Debian DLA	DLA-4351-1	thunderbird security update
Debian DSA	DSA-6025-1	firefox-esr security update
Debian DSA	DSA-6040-1	thunderbird security update
Ubuntu USN	USN-7991-1	Thunderbird vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699%2C1989945%2C1990970%2C1991040%2C1992113
https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html
https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html
https://nvd.nist.gov/vuln/detail/CVE-2025-11714
https://www.cve.org/CVERecord?id=CVE-2025-11714
https://www.mozilla.org/security/advisories/mfsa2025-81/
https://www.mozilla.org/security/advisories/mfsa2025-82/
https://www.mozilla.org/security/advisories/mfsa2025-83/
https://www.mozilla.org/security/advisories/mfsa2025-83/#CVE-2025-11714
https://www.mozilla.org/security/advisories/mfsa2025-84/
https://www.mozilla.org/security/advisories/mfsa2025-85/
https://www.mozilla.org/security/advisories/mfsa2025-85/#CVE-2025-11714

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.	Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Mon, 03 Nov 2025 18:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html

Thu, 30 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Title	thunderbird: firefox: Memory safety bugs	Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

Mon, 20 Oct 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla firefox Esr
Vendors & Products		Mozilla firefox Esr

Thu, 16 Oct 2025 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Wed, 15 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-125 CWE-787
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Wed, 15 Oct 2025 12:30:00 +0000

Type	Values Removed	Values Added
Title		thunderbird: firefox: Memory safety bugs
Weaknesses		CWE-119
References		https://nvd.nist.gov/vuln/detail/CVE-2025-11714 https://www.cve.org/CVERecord?id=CVE-2025-11714 https://www.mozilla.org/security/advisories/mfsa2025-83/#CVE-2025-11714 https://www.mozilla.org/security/advisories/mfsa2025-85/#CVE-2025-11714
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Important`

Tue, 14 Oct 2025 13:00:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bugs present in Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144, Firefox ESR < 115.29, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.
References		https://bugzilla.mozilla.org/buglist.cgi?bug_id=1973699%2C1989945%2C1990970%2C1991040%2C1992113 https://www.mozilla.org/security/advisories/mfsa2025-81/ https://www.mozilla.org/security/advisories/mfsa2025-82/ https://www.mozilla.org/security/advisories/mfsa2025-83/ https://www.mozilla.org/security/advisories/mfsa2025-84/ https://www.mozilla.org/security/advisories/mfsa2025-85/

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-10-14T12:27:34.820Z

Updated: 2026-04-13T14:29:23.290Z

Reserved: 2025-10-13T19:50:12.815Z

Link: CVE-2025-11714

Vulnrichment

Updated: 2025-11-03T17:32:01.391Z

NVD

Status : Modified

Published: 2025-10-14T13:15:37.680

Modified: 2026-04-13T15:16:40.350

Link: CVE-2025-11714

Redhat

Severity : Important

Publid Date: 2025-10-14T12:27:34Z

Links: CVE-2025-11714 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object