Description
Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption potentially leading to code execution
Action: Apply patch
AI Analysis

Impact

A race condition exists in the graphics rendering layer of Mozilla Firefox and Thunderbird that can cause memory corruption or unintended state changes during rendering. The vulnerability is classified as CWE‑362 and CWE‑366. Based on the description, it is inferred that an attacker might exploit this condition to execute arbitrary code by scripting malicious content that triggers rendering.

Affected Systems

Affected products include Mozilla Firefox versions prior to 145, including all ESR releases older than 140.5 and 115.30, as well as Mozilla Thunderbird versions prior to 145 and older than 140.5.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity issue. The EPSS score of less than 1 % suggests a low probability of widespread exploitation at present, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the most likely attack vector involves delivering malicious content—such as a web page or email—that triggers graphics rendering, potentially allowing local or remote code execution if the race condition is successfully triggered during rendering.

Generated by OpenCVE AI on April 20, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 145 or newer, or to Firefox ESR 140.5/115.30, and update Thunderbird to version 145 or newer or to 140.5, as these releases contain the fix.
  • If updating immediately is not possible, disable GPU acceleration by setting layers.acceleration.disabled to true in Firefox’s about:config (or the equivalent setting in Thunderbird), then restart the application.
  • Ensure that no older or unpatched copies of Firefox or Thunderbird remain in use on your system to prevent exploitation of the race condition.

Generated by OpenCVE AI on April 20, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Thu, 13 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-366
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Race condition in the Graphics component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30.
Title Race condition in the Graphics component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:13.190Z

Reserved: 2025-11-11T15:12:03.494Z

Link: CVE-2025-13012

cve-icon Vulnrichment

Updated: 2025-11-13T15:38:23.316Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:38.253

Modified: 2026-04-13T15:16:41.930

Link: CVE-2025-13012

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-11T15:47:11Z

Links: CVE-2025-13012 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses