Description
Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.10 and Thunderbird 128.10.
Published: 2025-04-29
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via memory corruption
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a memory safety bug that existed in Firefox ESR 128.9 and Thunderbird 128.9, causing memory corruption that could be leveraged to run arbitrary code. It represents a buffer overflow and classic buffer overrun weakness (CWE-119, CWE-120) and has a CVSS score of 8.1, indicating high severity.

Affected Systems

Affected products are Mozilla Firefox ESR and Thunderbird ESR. All releases prior to 128.10 are impacted, including 128.9. The bug is relevant to installations on systems identified by the supplied CPE strings, such as Red Hat Enterprise Linux 8 and 9 and their extended support variants.

Risk and Exploitability

The EPSS score is less than 1%, indicating a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The most likely attack path is remote, involving malicious content rendered by the browser—such as a crafted web page or a deceptive email—to trigger the memory corruption and potentially execute arbitrary code. No public exploit is known, but the high CVSS score warrants proactive mitigation.

Generated by OpenCVE AI on April 20, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox ESR to 128.10 or a later version, and upgrade Thunderbird ESR to 128.10 or later, which contain the patch for this memory safety bug.
  • Enable automatic updates for Firefox ESR and Thunderbird ESR so that future security fixes are applied without user intervention.
  • If an immediate upgrade is not feasible, limit the use of these browsers for potentially untrusted content, disable native plugins or features that execute native code, and monitor for anomalous activity that could indicate exploitation attempts.

Generated by OpenCVE AI on April 20, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4167-1 thunderbird security update
Debian DLA Debian DLA DLA-4172-1 firefox-esr security update
Debian DSA Debian DSA DSA-5910-1 firefox-esr security update
Debian DSA Debian DSA DSA-5912-1 thunderbird security update
EUVD EUVD EUVD-2025-12642 Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10. Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.10 and Thunderbird 128.10.
Title firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10 Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Mon, 22 Sep 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 14 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_eus:8.8
cpe:/a:redhat:rhel_tus:8.4
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Wed, 14 May 2025 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Sat, 10 May 2025 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_eus:9.4

Fri, 09 May 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Fri, 09 May 2025 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus

Mon, 05 May 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Fri, 02 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 01 May 2025 14:30:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird ESR < 128.10. Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.

Tue, 29 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 29 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird ESR < 128.10.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:25.816Z

Reserved: 2025-04-29T13:13:50.246Z

Link: CVE-2025-4093

cve-icon Vulnrichment

Updated: 2025-11-03T19:58:54.629Z

cve-icon NVD

Status : Modified

Published: 2025-04-29T14:15:35.907

Modified: 2026-04-13T15:17:01.237

Link: CVE-2025-4093

cve-icon Redhat

Severity : Important

Publid Date: 2025-04-29T13:13:50Z

Links: CVE-2025-4093 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses