Description
Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 128.11.
Published: 2025-05-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption with potential for arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

A memory safety bug was identified in Firefox ESR 128.10 and Thunderbird 128.10, causing memory corruption that could allow an attacker to execute arbitrary code. The flaw involves unsafe handling of data (CWE-119, CWE-787) and has been fixed in the 128.11 releases.

Affected Systems

The vulnerability affects Mozilla Firefox ESR and Thunderbird versions 128.10. Users running these specific revision numbers are at risk; the problem has been addressed in the subsequent 128.11 updates.

Risk and Exploitability

The CVSS score of 8.1 indicates a high-severity vulnerability, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Although the attack vector is not explicitly documented, it can be inferred that malicious web content or email attachments could trigger the vulnerable memory handling, leading to execution of attacker‑chosen code if the conditions are met.

Generated by OpenCVE AI on April 20, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox ESR to version 128.11 or later, following Mozilla’s official security advisory.
  • Update Thunderbird to version 128.11 or later, following Mozilla’s official security advisory.
  • If immediate update is not possible, restrict or quarantine environments from loading untrusted web pages or email attachments until the patch can be applied.

Generated by OpenCVE AI on April 20, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4191-1 firefox-esr security update
Debian DLA Debian DLA DLA-4194-1 thunderbird security update
Debian DSA Debian DSA DSA-5926-1 firefox-esr security update
Debian DSA Debian DSA DSA-5932-1 thunderbird security update
EUVD EUVD EUVD-2025-18098 Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11 and Thunderbird < 128.11.
Ubuntu USN Ubuntu USN USN-7663-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11 and Thunderbird < 128.11. Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox ESR 128.11 and Thunderbird 128.11.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Memory safety bug Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 16 Jun 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Wed, 11 Jun 2025 12:15:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11. Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11 and Thunderbird < 128.11.
References

Tue, 10 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_tus:8.6
cpe:/a:redhat:rhel_tus:8.8
Vendors & Products Redhat rhel Aus
Redhat rhel Tus

Fri, 06 Jun 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat rhel E4s
Redhat rhel Eus

Tue, 03 Jun 2025 06:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:10.0

Fri, 30 May 2025 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Thu, 29 May 2025 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux

Thu, 29 May 2025 02:45:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Memory safety bug
Weaknesses CWE-119
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 27 May 2025 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 27 May 2025 12:45:00 +0000

Type Values Removed Values Added
Description Memory safety bug present in Firefox ESR 128.10, and Thunderbird 128.10. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.11.
References

Subscriptions

Mozilla Firefox Thunderbird
Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:29:15.660Z

Reserved: 2025-05-27T12:29:27.413Z

Link: CVE-2025-5269

cve-icon Vulnrichment

Updated: 2025-11-03T20:06:12.724Z

cve-icon NVD

Status : Modified

Published: 2025-05-27T13:15:22.717

Modified: 2026-04-13T15:17:04.917

Link: CVE-2025-5269

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-05-27T12:29:27Z

Links: CVE-2025-5269 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:15:12Z

Weaknesses