Description
Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2.
Published: 2025-08-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution through memory corruption
Action: Immediate Patch
AI Analysis

Impact

Memory safety bugs were discovered in Firefox ESR 140.1, Firefox 141, Thunderbird ESR 140.1, and Thunderbird 141. The bugs caused memory corruption, and the description indicates that an attacker could, with sufficient effort, run arbitrary code. The impact of a successful exploitation would compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

The affected products are Mozilla Firefox and Thunderbird. Versions 140.1 and 141 of both Firefox and Thunderbird were vulnerable. The vulnerabilities are fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird ESR 140.2.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating a high severity, but the EPSS score is less than 1% and it is not listed in the CISA KEV catalog. The likely attack vector involves either malicious web content or email attachments that trigger the memory corruption when processed by an unpatched browser or email client. Exploitation would likely require a user to view or open the malicious content but could be carried out without elevated privileges. Overall, the risk remains high due to the severity, but the probability of widespread exploitation is currently low.

Generated by OpenCVE AI on April 20, 2026 at 16:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 142 or the ESR 140.2 release, or upgrade to the newest available ESR version.
  • Update Thunderbird to version 142 or the ESR 140.2 release, or upgrade to the newest available ESR version.
  • If an update cannot be installed immediately, contact Mozilla support to discuss available options and monitor for future advisories.

Generated by OpenCVE AI on April 20, 2026 at 16:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25238 Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2.

Thu, 30 Oct 2025 16:30:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

Fri, 22 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 21 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 21 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 19 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:28:41.568Z

Reserved: 2025-08-19T15:56:07.296Z

Link: CVE-2025-9184

cve-icon Vulnrichment

Updated: 2025-08-21T13:45:21.163Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:30.903

Modified: 2026-04-13T15:17:14.297

Link: CVE-2025-9184

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-19T20:33:58Z

Links: CVE-2025-9184 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:00:12Z

Weaknesses