Description
When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string. This vulnerability was fixed in Firefox 136 and Thunderbird 136.
Published: 2025-03-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply patch
AI Analysis

Impact

When the method String.toUpperCase() expands a string’s length, the resulting string can contain portions of memory that were never initialized, exposing potentially sensitive data. This flaw is classified as uninitialized memory read and buffer misuse (CWE-824, CWE-908). The assessment reflects a CVSS score of 9.8. The vulnerability allows an attacker to retrieve arbitrary data from memory through the manipulated string.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected before version 136. Any installation of these products running a version earlier than 136 is vulnerable. Versions 136 and later contain the mitigation and are not impacted.

Risk and Exploitability

The EPSS score of "< 1%" implies a very low historical exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The attack path depends on gaining the ability to trigger a locale‑aware uppercase operation, which may arise from malicious web content, local scripts, or extensions. While the documentation does not specify the exact vector, it is reasonable to infer that the flaw can be exercised in both local and remote contexts where the application processes user‑supplied strings. The combination of a high CVSS score and low exploitation likelihood suggests a moderate to high risk that should be addressed promptly.

Generated by OpenCVE AI on April 20, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox and Mozilla Thunderbird to version 136 or later.
  • Restart the browser after the upgrade to ensure the new binary is loaded.
  • Configure the update client to apply future patches automatically to avoid similar issues.

Generated by OpenCVE AI on April 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7444 When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136.
Ubuntu USN Ubuntu USN USN-7334-1 Firefox vulnerabilities
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136. When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string. This vulnerability was fixed in Firefox 136 and Thunderbird 136.
Title firefox: Disclosure of uninitialized memory when .toUpperCase() causes string to get longer Disclosure of uninitialized memory when .toUpperCase() causes string to get longer

Fri, 28 Mar 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Tue, 25 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 12 Mar 2025 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Wed, 05 Mar 2025 03:00:00 +0000

Type Values Removed Values Added
Title firefox: Disclosure of uninitialized memory when .toUpperCase() causes string to get longer
Weaknesses CWE-824
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 05 Mar 2025 00:00:00 +0000

Type Values Removed Values Added
Description When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136. When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136 and Thunderbird < 136.
References

Tue, 04 Mar 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 04 Mar 2025 13:45:00 +0000

Type Values Removed Values Added
Description When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string This vulnerability affects Firefox < 136.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:30:28.192Z

Reserved: 2025-03-04T12:29:51.191Z

Link: CVE-2025-1942

cve-icon Vulnrichment

Updated: 2025-03-04T15:45:14.531Z

cve-icon NVD

Status : Modified

Published: 2025-03-04T14:15:39.167

Modified: 2026-04-13T15:16:53.940

Link: CVE-2025-1942

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-03-04T13:31:25Z

Links: CVE-2025-1942 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses