Description
Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10.
Published: 2025-04-29
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

Memory safety bugs in Mozilla Firefox and Thunderbird allow memory corruption and, with sufficient effort, could lead to arbitrary code execution by an attacker. The vulnerability permits compromise of an affected system’s confidentiality, integrity, and availability, potentially enabling full system takeover. The weakness originates from improper bounds checking (CWE-119) and memory management errors (CWE-120).

Affected Systems

Vulnerable to hosts running Mozilla Firefox 137, Firefox ESR 128.9, Mozilla Thunderbird 137, and Thunderbird ESR 128.9. Those same vulnerable packages may also exist on Red Hat Enterprise Linux 8, 9, and various update streams; remediation requires updating the browser or Thunderbird packages to the fixed releases. The CVE does not affect later releases such as Firefox 138 or Firefox ESR 128.10, which contain the patch.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not recorded in the CISA KEV catalog, reflecting its relative novelty and low exploitation risk. However, once the bug is sufficiently understood, an attacker could craft a malicious web page or e‑mail that triggers the memory corruption, leveraging the bug to execute code. Because the description does not specify a particular network or local vector, the attack may require direct user interaction with a vulnerable document or web page. Given the high potential impact and the low current EPSS, organizations should treat the issue as a high‑risk priority yet monitor for new exploit activity.

Generated by OpenCVE AI on April 20, 2026 at 20:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 138 or later, or to Firefox ESR 128.10 if using the extended support release.
  • Update Mozilla Thunderbird to version 138 or later, or to Thunderbird ESR 128.10 if using the extended support release.
  • On Red Hat Enterprise Linux systems, run the distribution package manager to install the latest security updates for the Firefox and Thunderbird packages, ensuring the host operating system is fully patched for any ancillary libraries that could interact with the browsers.

Generated by OpenCVE AI on April 20, 2026 at 20:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
Debian DLA Debian DLA DLA-4172-1 firefox-esr security update
Debian DSA Debian DSA DSA-5910-1 firefox-esr security update
Debian DSA Debian DSA DSA-5912-1 thunderbird security update
EUVD EUVD EUVD-2025-12641 Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10. Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10.
Title firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10 Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 22 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 14 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Wed, 14 May 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Sat, 10 May 2025 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Fri, 09 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus

Mon, 05 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird ESR < 128.10. Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird < 128.10.

Thu, 01 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Memory safety bugs fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 138, Firefox ESR < 128.10, Thunderbird < 138, and Thunderbird ESR < 128.10.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:22.909Z

Reserved: 2025-04-29T13:13:47.408Z

Link: CVE-2025-4091

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:53.160Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.717

Modified: 2026-04-13T15:17:00.890

Link: CVE-2025-4091

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-04-29T13:13:48Z

Links: CVE-2025-4091 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses