Description
Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144.
Published: 2025-10-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via application crash
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free condition in the native messaging web‑extension API that can lead to crashes on Windows. The memory corruption can cause Mozilla Thunderbird or Firefox to terminate unexpectedly, resulting in a denial‑of‑service situation. The description does not indicate that the flaw can be used to achieve code execution or data exfiltration; it only mentions crashes.

Affected Systems

Mozilla Thunderbird versions beginning with 143 on Windows are affected until the bug is fixed in version 144. Mozilla Firefox was patched in version 144, indicating that earlier releases may also be vulnerable, but the provided description does not identify specific Firefox versions that are impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates a high‑severity flaw. The EPSS score is reported as less than 1 %, meaning the likelihood of exploitation is very low under current conditions. Because the CVE is not listed in the CISA KEV catalog, there is no known widespread exploitation in the wild. The likely attack vector would involve a malicious web extension running on a Windows machine; however, exploitation would still depend on the extension having native messaging privileges and would only lead to crashes rather than more severe compromise.

Generated by OpenCVE AI on April 20, 2026 at 19:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 144 or later
  • Update Mozilla Thunderbird to version 144 or later
  • Remove or disable any untrusted web extensions that use native messaging

Generated by OpenCVE AI on April 20, 2026 at 19:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability affects Firefox < 144 and Thunderbird < 144. Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

Fri, 14 Nov 2025 15:30:00 +0000

Type Values Removed Values Added
Description Starting in Firefox 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability affects Firefox < 144 and Thunderbird < 144. Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability affects Firefox < 144 and Thunderbird < 144.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Use-after-free caused by the native messaging web extension API on Windows Use-after-free caused by the native messaging web extension API on Windows

Wed, 15 Oct 2025 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 15 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows
Mozilla
Mozilla firefox

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 15 Oct 2025 12:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Use-after-free caused by the native messaging web extension API on Windows
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 14 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description Starting in Firefox 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability affects Firefox < 144 and Thunderbird < 144.
References

Subscriptions

Microsoft Windows
Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:23.549Z

Reserved: 2025-10-13T19:50:20.373Z

Link: CVE-2025-11719

cve-icon Vulnrichment

Updated: 2025-10-15T13:20:57.558Z

cve-icon NVD

Status : Modified

Published: 2025-10-14T13:15:38.287

Modified: 2026-04-13T15:16:41.257

Link: CVE-2025-11719

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-10-14T12:27:36Z

Links: CVE-2025-11719 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses