Impact
The vulnerability is a memory safety bug that can result in out-of-bounds read (CWE-125), out-of-bounds write (CWE-787), use‑after‑free (CWE-416), and type confusion (CWE-843) conditions. These weaknesses can allow an attacker to read sensitive data from memory, corrupt program state, or crash the application, thereby compromising confidentiality and availability.
Affected Systems
The flaw affects Mozilla Firefox and Mozilla Thunderbird versions prior to 152 (or Firefox ESR 140.12 and Thunderbird ESR 140.12). The bug was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.
Risk and Exploitability
The CVSS score of 5.4 indicates a moderate severity. The EPSS score of <1% shows a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. It is inferred that exploitation would likely require an attacker to deliver malicious content to the application, such as a crafted email or attachment, or to exploit local privileges during processing.
OpenCVE Enrichment
Debian DLA
Debian DSA