Description
Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.
Published: 2025-04-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Thunderbird’s updater contains a flaw that lets a local user process with medium integrity inject code to interfere with the SYSTEM‑level update mechanism. By manipulating file‑locking, the attacker can bypass access controls and perform SYSTEM‑level file operations on paths that are normally controlled by a non‑privileged user. This fault is categorized under CWE‑22 (Path Traversal) and CWE‑94 (Code Injection), allowing the malicious actor to gain higher privileges on the machine.

Affected Systems

The vulnerability affects Mozilla’s Thunderbird and Firefox browsers. It is present in Thunderbird and Firefox releases prior to version 138, and in Firefox ESR builds before 128.10 and 115.23. System administrators running Red‑Hat Enterprise Linux 8, 9, and related extended‑support releases are potentially impacted when the updater runs as SYSTEM. All environments where the updater is enabled on an affected client should be examined.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity due to the potential for privilege escalation. The EPSS score is below 1%, indicating that exploitation is currently considered unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path requires local, medium‑integrity access—typically the ability to run code as a logged‑in user. An attacker could then trigger the updater to execute SYSTEM‑level actions, effectively elevating privileges and compromising system integrity.

Generated by OpenCVE AI on April 20, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Thunderbird to 138 or later, or to 128.10 if on an ESR release.
  • Update Firefox to 138 or later, or to ESR 128.10 or 115.23, per affected versions.
  • Disable or restrict the SYSTEM‑level updater from running with elevated privileges, or temporarily disable automatic updates until the patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
EUVD EUVD EUVD-2025-12689 Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10. Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.
Title firefox: thunderbird: Privilege escalation in Firefox Updater Privilege escalation in Thunderbird Updater

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Fri, 13 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 14 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Wed, 14 May 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Sat, 10 May 2025 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Fri, 09 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus

Mon, 05 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10. Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird < 128.10.

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Privilege escalation in Firefox Updater
Weaknesses CWE-94
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 29 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-22
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Firefox ESR < 115.23, Thunderbird < 138, and Thunderbird ESR < 128.10.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:13.873Z

Reserved: 2025-03-26T14:08:36.146Z

Link: CVE-2025-2817

cve-icon Vulnrichment

Updated: 2025-11-03T19:46:41.197Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:32.220

Modified: 2026-04-13T15:16:55.633

Link: CVE-2025-2817

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-29T13:13:33Z

Links: CVE-2025-2817 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses