Description
Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2.
Published: 2025-08-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw arises when the Graphics: WebRender component can run out of memory during normal operation, causing the browser to become unresponsive or crash. This leads to a denial of service that affects only the affected user's session or machine, but can be exploited by displacing resources. The weakness is identified as an uncontrolled resource consumption issue.

Affected Systems

Mozilla Firefox and Thunderbird are affected. Any release before Firefox 142 or the ESR 140.2 line, and any Thunderbird release before 142 or the ESR 140.2 line, are vulnerable. The issue specifically impacts the WebRender rendering subsystem used by these products.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact level. EPSS is below 1%, implying the exploitation probability is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via a malicious web page or email attachment that triggers rendering of complex or malformed graphics content. Requiring the product to process such content will exhaust memory and force a crash, resulting in a service availability loss for the user. No known exploitation of confidentiality or integrity properties is documented.

Generated by OpenCVE AI on April 20, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 142 or later, or to the ESR 140.2 series, and update Mozilla Thunderbird to version 142 or later, or to the ESR 140.2 series.
  • If a timely update cannot be performed, consider disabling the WebRender rendering engine in the browser settings or using an alternative browser to prevent rendering of untrusted content.
  • Configure system or browser policies to monitor and isolate rendering processes, and remain vigilant for sudden crashes or freezes that may indicate exploitation.

Generated by OpenCVE AI on April 20, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25241 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Description 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. Denial-of-service due to out-of-memory in the Graphics: WebRender component. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
Title firefox: thunderbird: Denial-of-service due to out-of-memory in the Graphics: WebRender component Denial-of-service due to out-of-memory in the Graphics: WebRender component

Fri, 22 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title firefox: thunderbird: Denial-of-service due to out-of-memory in the Graphics: WebRender component
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 21 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 20 Aug 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
Description 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:37.915Z

Reserved: 2025-08-19T15:56:02.735Z

Link: CVE-2025-9182

cve-icon Vulnrichment

Updated: 2025-08-20T14:04:50.858Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:30.650

Modified: 2026-04-13T15:17:13.967

Link: CVE-2025-9182

cve-icon Redhat

Severity : Low

Publid Date: 2025-08-19T20:33:56Z

Links: CVE-2025-9182 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses