Description
Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
Published: 2025-08-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability consists of memory safety bugs that can lead to memory corruption in multiple versions of Firefox and Thunderbird. The flaw is inferred to be a buffer over-read or similar, and it is classified as CWE‑119 (inferred). The official description notes that, with sufficient effort, attackers could exploit the bugs to execute arbitrary code. The CVSS score of 8.1 reflects the potential for complete compromise of confidentiality, integrity, and availability. The flaw exists in earlier releases—Firefox ESR 115.26, ESR 128.13, ESR 140.1, the regular Firefox 141, Thunderbird ESR 128.13, ESR 140.1, and Thunderbird 141—and has been fixed in later versions with corresponding ESR releases.

Affected Systems

Affected products include Mozilla Firefox and Thunderbird across both standard and Extended Support Release (ESR) branches. The vulnerable releases are Firefox ESR 115.26, ESR 128.13, ESR 140.1, the regular Firefox 141, Thunderbird ESR 128.13, ESR 140.1, and Thunderbird 141. The advisory lists the patched versions: Firefox 142 and ESR 115.27, ESR 128.14, ESR 140.2; Thunderbird 142 and ESR 128.14, ESR 140.2.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1 percent shows exploitation probability is currently low. The advisory does not list it in the CISA KEV catalog. The likely attack vector is a remote attacker providing crafted content to the browser to trigger memory corruption (inferred), but exact details are not disclosed; the description assumes that some bugs could be exploited for arbitrary code execution with enough effort (inferred). Therefore, the risk is significant for users running the affected versions, and even a low initial exploitation likelihood warrants prompt patching.

Generated by OpenCVE AI on April 20, 2026 at 18:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 142 or later, or to ESR 115.27, ESR 128.14, or ESR 140.2 or later; apply the same updates to Thunderbird to version 142 or later, or to ESR 128.14 or ESR 140.2.
  • If your system cannot immediately upgrade, install the Debian LTS backport updates referenced in the advisory or otherwise ensure the operating system’s mitigations for memory safety (e.g., canary, ASLR) are enabled.
  • Continuously monitor security bulletins for any new exploitation activity and maintain system isolation until the patch is applied.

Generated by OpenCVE AI on April 20, 2026 at 18:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4277-1 firefox-esr security update
Debian DLA Debian DLA DLA-4279-1 thunderbird security update
Debian DSA Debian DSA DSA-5980-1 firefox-esr security update
Debian DSA Debian DSA DSA-5984-1 thunderbird security update
EUVD EUVD EUVD-2025-25243 Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

Mon, 03 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
References

Thu, 30 Oct 2025 16:00:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142

Fri, 22 Aug 2025 00:15:00 +0000

Type Values Removed Values Added
Title thunderbird: firefox: Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 21 Aug 2025 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Thu, 21 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Tue, 19 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:25:52.926Z

Reserved: 2025-08-19T15:56:07.840Z

Link: CVE-2025-9185

cve-icon Vulnrichment

Updated: 2025-11-03T18:14:16.037Z

cve-icon NVD

Status : Modified

Published: 2025-08-19T21:15:31.037

Modified: 2026-04-13T15:17:14.473

Link: CVE-2025-9185

cve-icon Redhat

Severity : Important

Publid Date: 2025-08-19T20:33:55Z

Links: CVE-2025-9185 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:15:13Z

Weaknesses