Description
Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Published: 2025-11-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Memory safety bugs in Firefox 144 and Thunderbird 144 caused memory corruption, allowing, with sufficient effort, the execution of arbitrary code. The bugs correspond to well-known weaknesses in handling memory bounds and buffer overreads (CWE-119 and CWE-825).

Affected Systems

Mozilla Firefox version 144 and Mozilla Thunderbird version 144 are affected. The vulnerabilities were addressed in Firefox 145 and Thunderbird 145, which should be installed to eliminate the risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% reflects a very low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. While the description does not state a precise attack vector, the nature of memory corruption suggests that exploitation would likely involve an attacker supplying malicious content (e.g., through a web page or email) that triggers the vulnerable code path. The attack would require the victim to run the affected software with the compromised content in a context that allows memory corruption.

Generated by OpenCVE AI on April 20, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 145 or later and Thunderbird to version 145 or later.
  • Ensure automatic updates for Mozilla products are enabled so future patches are applied promptly.
  • If an upgrade is not immediately possible, consider restricting the use of the affected applications or isolating them from untrusted networks to reduce exposure to potential malicious content.

Generated by OpenCVE AI on April 20, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145 and Thunderbird < 145. Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145. Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145 and Thunderbird < 145.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Wed, 12 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 144 and Thunderbird 144. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 145.
Title Memory safety bugs fixed in Firefox 145 and Thunderbird 145
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:42.181Z

Reserved: 2025-11-11T15:12:38.453Z

Link: CVE-2025-13027

cve-icon Vulnrichment

Updated: 2025-11-12T14:53:32.283Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:39.820

Modified: 2026-04-13T15:16:44.647

Link: CVE-2025-13027

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-11T15:47:17Z

Links: CVE-2025-13027 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses