Description
Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
Published: 2025-12-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential arbitrary code execution through memory corruption
Action: Patch promptly
AI Analysis

Impact

These memory safety bugs enable memory corruption that could allow an attacker to execute arbitrary code on the host. The associated weaknesses are buffer overread or write errors, exposing the system to severe confidentiality, integrity, and availability impacts.

Affected Systems

Vulnerable products include Mozilla Firefox version 145 and the 140.5 ESR release, and Mozilla Thunderbird version 145 and the 140.5 ESR release. The fixes are deployed in Firefox 146 and ESR 140.6, and in Thunderbird 146 and ESR 140.6.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability, while the EPSS score of less than 1% shows a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an attacker crafting malicious web content or email attachments that trigger the memory bug, leading to code execution; however, this inference is drawn from the type of memory corruption described and not explicitly stated in the advisory.

Generated by OpenCVE AI on April 20, 2026 at 17:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest updates: upgrade to Firefox 146 or ESR 140.6 and to Thunderbird 146 or ESR 140.6.
  • Ensure that automatic updates are enabled for both Firefox and Thunderbird so future fixes are applied automatically.
  • Monitor system and application logs for signs of abnormal memory usage or recovery from crashes that may indicate a memory corruption attempt.

Generated by OpenCVE AI on April 20, 2026 at 17:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4401-1 firefox-esr security update
Debian DLA Debian DLA DLA-4405-1 thunderbird security update
Debian DSA Debian DSA DSA-6078-1 firefox-esr security update
Debian DSA Debian DSA DSA-6081-1 thunderbird security update
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6. Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

Tue, 13 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Wed, 10 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 10 Dec 2025 14:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146 and Firefox ESR < 140.6. Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, and Thunderbird < 140.6.
References

Wed, 10 Dec 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 09 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 13:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146 and Firefox ESR < 140.6.
Title Memory safety bugs fixed in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:45.424Z

Reserved: 2025-12-09T13:38:09.392Z

Link: CVE-2025-14333

cve-icon Vulnrichment

Updated: 2025-12-09T15:24:55.888Z

cve-icon NVD

Status : Modified

Published: 2025-12-09T16:17:40.990

Modified: 2026-04-13T15:16:47.033

Link: CVE-2025-14333

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-12-09T13:38:09Z

Links: CVE-2025-14333 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses