Description
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
Published: 2025-08-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape that can lead to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

An attacker who can influence the encrypted media processing pipeline can corrupt memory inside the GMP process, a sandboxed component of Mozilla applications. This overflow type flaw, identified as CWE‑119, allows a sandbox escape that can give the attacker arbitrary code execution or privilege escalation within the user’s system. The severity is high, reflected in the CVSS score of 9.8, because once the sandbox is breached, the attacker can run any code with the same rights as the application.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Versions prior to Firefox 142, Firefox ESR 115.27, 128.14, and 140.2, as well as Thunderbird 142, 128.14, and 140.2, are vulnerable. The fix is available in the listed releases and later. All other Mozilla products not listed here are not reported to be affected.

Risk and Exploitability

The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild at the time of this analysis. However, the CVSS of 9.8 highlights a maximum impact if exploited. The vulnerability is not currently listed in the CISA KEV catalog, meaning that there is no widespread evidence of active exploitation, but the attack vector is a memory corruption in a sandboxed media component, which requires content that triggers the bad pointer handling. The combination of high severity and limited exploitation probability suggests a high-impact, low-probability risk profile.

Generated by OpenCVE AI on April 20, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 142 or later, or update to the latest Firefox ESR release (115.27, 128.14, or 140.2).
  • Upgrade Mozilla Thunderbird to version 142 or later, or update to the latest Thunderbird ESR release (128.14 or 140.2).
  • If an immediate upgrade is not possible, block or disable the loading of encrypted media content in the affected browsers until the patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4277-1 firefox-esr security update
Debian DLA Debian DLA DLA-4279-1 thunderbird security update
Debian DSA Debian DSA DSA-5980-1 firefox-esr security update
Debian DSA Debian DSA DSA-5984-1 thunderbird security update
EUVD EUVD EUVD-2025-25246 An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:00:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component Sandbox escape due to invalid pointer in the Audio/Video: GMP component

Fri, 22 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 21 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
Description An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:47.601Z

Reserved: 2025-08-19T15:55:37.418Z

Link: CVE-2025-9179

cve-icon Vulnrichment

Updated: 2025-11-03T18:14:10.275Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:30.247

Modified: 2026-04-13T15:17:13.367

Link: CVE-2025-9179

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-19T20:33:53Z

Links: CVE-2025-9179 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses