Description
Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137 and Thunderbird 137.
Published: 2025-04-01
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Memory safety bugs were present in Firefox 136 and Thunderbird 136, leading to memory corruption that could, with significant effort, allow an attacker to execute arbitrary code on an affected system. The vulnerability carries a CVSS score of 8.1, indicating a high severity for exploitation. While no confirmed production exploitation has been reported, the description suggests that the bugs were serious enough to warrant a patch.

Affected Systems

Mozilla products Firefox and Thunderbird are affected. Version 136 of both browsers contains the bugs while version 137 and later incorporate the fixed code. No other versions are listed as impacted.

Risk and Exploitability

The EPSS score of less than 1% indicates that the likelihood of exploitation at this time is low, and the vulnerability is not currently listed in the CISA KEV catalog. However, the high CVSS score and the potential for arbitrary code execution mean that the risk to any system running the vulnerable versions remains significant. A patch is the only reliable protection, and delayed remediation would leave systems vulnerable to an exploited memory corruption flaw.

Generated by OpenCVE AI on April 20, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 137 or later and Thunderbird to version 137 or later. This is the official vendor fix for the memory safety bugs.
  • Ensure that automatic updates are enabled or schedule regular manual updates to keep Mozilla products current and prevent re‑introduction of the affected code.
  • Monitor for signs of exploitation such as application crashes or anomalous memory usage in system logs.

Generated by OpenCVE AI on April 20, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-9304 Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 137 and Thunderbird < 137.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 137 and Thunderbird < 137. Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 137 and Thunderbird 137.
Title Memory safety bugs fixed in Firefox 137 and Thunderbird 137

Mon, 07 Apr 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Weaknesses CWE-787
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 02 Apr 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 01 Apr 2025 12:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 136 and Thunderbird 136. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 137 and Thunderbird < 137.
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:37.069Z

Reserved: 2025-03-31T09:35:33.843Z

Link: CVE-2025-3034

cve-icon Vulnrichment

Updated: 2025-04-02T15:07:35.996Z

cve-icon NVD

Status : Modified

Published: 2025-04-01T13:15:41.790

Modified: 2026-04-13T15:16:57.333

Link: CVE-2025-3034

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses