Description
Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
Published: 2025-08-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The flaw occurs when the JavaScript engine reads memory that has not been initialized. This uninitialized memory read can expose arbitrary data stored in the browser process or cause the browser to crash. The vulnerability corresponds to CWE‑457 (Use of Uninitialized Variable) and CWE‑665 (Buffer Access with Incorrect Length Value). The official description does not state that the flaw enables direct code execution; the primary consequence is therefore the potential leakage of sensitive information or unintended denial of service.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Unpatched releases include Firefox 142 and the ESR branches 128.14 and 140.2; Thunderbird 142 and the corresponding ESR releases 128.14 and 140.2. All earlier releases of these products are also vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity while the EPSS score of < 1% points to a low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, reinforcing the modest risk assessment. The likely attack vector involves malicious or compromised web pages delivering crafted JavaScript that executes in a user’s browser session; the attacker would need to entice a user to visit a website or otherwise inject the code. Because the flaw does not provide an explicit remote code‑execution path, the risk focuses on potential information disclosure, but the exploitation remains plausible even with the low EPSS score.

Generated by OpenCVE AI on April 20, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Firefox and Thunderbird installations to a version that includes the fix (Firefox 142 or newer, ESR 128.14 or 140.2, Thunderbird 142 or newer, ESR 128.14 or 140.2).
  • If an immediate update is impossible, disable or heavily restrict JavaScript execution for untrusted or unknown web content through the browser’s policy settings to reduce the chance of triggering the flaw.
  • When updating or policy changes cannot be applied, isolate users from potentially malicious sites by applying network segmentation or firewall rules that restrict outbound traffic to known safe domains, thereby limiting exposure to crafted scripts.

Generated by OpenCVE AI on April 20, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4277-1 firefox-esr security update
Debian DLA Debian DLA DLA-4279-1 thunderbird security update
Debian DSA Debian DSA DSA-5980-1 firefox-esr security update
Debian DSA Debian DSA DSA-5984-1 thunderbird security update
EUVD EUVD EUVD-2025-25244 Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:00:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Uninitialized memory in the JavaScript Engine component Uninitialized memory in the JavaScript Engine component

Fri, 22 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Uninitialized memory in the JavaScript Engine component
Weaknesses CWE-665
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 21 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-457
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:51.187Z

Reserved: 2025-08-19T15:55:41.889Z

Link: CVE-2025-9181

cve-icon Vulnrichment

Updated: 2025-11-03T18:14:14.144Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:30.520

Modified: 2026-04-13T15:17:13.777

Link: CVE-2025-9181

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-08-19T20:33:55Z

Links: CVE-2025-9181 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses