Description
Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144.
Published: 2025-10-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Memory corruption was discovered in Firefox 143 and Thunderbird 143. This bug allowed an attacker to corrupt the heap or stack and potentially execute arbitrary code. The result could be full control over the vulnerable application, enabling disclosure of sensitive information, remote code execution, and other malicious actions. The weakness corresponds to CWE‑119: Improper Restriction of Operations within the Bounds of a Memory Buffer.

Affected Systems

The affected products are Mozilla Firefox and Mozilla Thunderbird, specifically version 143. Users running Firefox 143 or Thunderbird 143 must update, as the bug does not exist in Firefox 144, Thunderbird 144, or later releases.

Risk and Exploitability

The vulnerability carries a CVSS base score of 9.8, indicating critical severity. The EPSS score is reported as less than 1 %, signifying a low probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Exploitation would likely require the victim to provide crafted input or otherwise trigger the bug during rendering or message handling. While current exploitation risk appears low, the high severity warrants prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 19:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 144 or a later release that includes the fix.
  • Upgrade Thunderbird to version 144 or a later release that includes the fix.
  • Enable automatic updates or regularly check for updates so that future security vulnerabilities are applied promptly, reducing the window of exposure.

Generated by OpenCVE AI on April 20, 2026 at 19:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144 and Thunderbird < 144. Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Memory safety bug fixed in Firefox 144 and Thunderbird 144 Memory safety bug fixed in Firefox 144 and Thunderbird 144

Wed, 15 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 15 Oct 2025 12:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Memory safety bug fixed in Firefox 144 and Thunderbird 144
Weaknesses CWE-119
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 14 Oct 2025 13:00:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox 143 and Thunderbird 143. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox < 144 and Thunderbird < 144.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:31:27.599Z

Reserved: 2025-10-13T19:50:24.598Z

Link: CVE-2025-11721

cve-icon Vulnrichment

Updated: 2025-10-15T13:20:46.007Z

cve-icon NVD

Status : Modified

Published: 2025-10-14T13:15:38.520

Modified: 2026-04-13T15:16:41.590

Link: CVE-2025-11721

cve-icon Redhat

Severity : Important

Publid Date: 2025-10-14T12:27:37Z

Links: CVE-2025-11721 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer