Description
The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
Published: 2025-07-22
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

The bug in the engine incorrectly handled closed generators, enabling an attacker to resume a closed generator and trigger a null pointer dereference, causing the browser or email client to crash. This flaw is a classic null pointer dereference (CWE‑476).

Affected Systems

Mozilla Firefox versions up to 140 and all releases before 141 are vulnerable, as are the ESR builds 115.26, 128.13, and 140.1. Mozilla Thunderbird versions up to 140 and the ESR builds 128.13 and 140.1 are also impacted.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, and the EPSS score of less than 1% shows a very low exploitation probability. The flaw requires JavaScript execution in a web page or email, so the attack vector is likely local or via malicious content rather than remote code execution. It is not listed in the CISA KEV. The primary consequence is a denial of service; an attacker could force a user to close the application or launch subsequent denial attacks, provided the generator is closed and then resumed through crafted scripts.

Generated by OpenCVE AI on April 20, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Firefox patch: upgrade to at least version 141 or the relevant ESR update (115.26, 128.13, or 140.1).
  • Apply the latest Thunderbird patch: upgrade to at least version 141 or the relevant ESR update (128.13 or 140.1).
  • If an immediate upgrade is not possible, block or disable JavaScript execution in the affected browsers or use a content‑filtering add‑on to prevent malicious script execution as a temporary measure.

Generated by OpenCVE AI on April 20, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4250-1 firefox-esr security update
Debian DLA Debian DLA DLA-4253-1 thunderbird security update
Debian DSA Debian DSA DSA-5964-1 firefox-esr security update
Debian DSA Debian DSA DSA-5966-1 thunderbird security update
EUVD EUVD EUVD-2025-22362 The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

Mon, 03 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Incorrect JavaScript state machine for generators Incorrect JavaScript state machine for generators

Tue, 29 Jul 2025 12:30:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Incorrect JavaScript state machine for generators
First Time appeared Redhat
Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 28 Jul 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 23 Jul 2025 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 23 Jul 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 22 Jul 2025 21:00:00 +0000

Type Values Removed Values Added
Description The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
Redhat Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:27:06.664Z

Reserved: 2025-07-22T10:13:59.291Z

Link: CVE-2025-8033

cve-icon Vulnrichment

Updated: 2025-11-03T20:07:52.372Z

cve-icon NVD

Status : Modified

Published: 2025-07-22T21:15:50.457

Modified: 2026-04-13T15:17:09.897

Link: CVE-2025-8033

cve-icon Redhat

Severity : Low

Publid Date: 2025-07-22T20:49:27Z

Links: CVE-2025-8033 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses