Impact
The CVE describes a memory safety bug that can cause memory corruption such as out‑of‑bounds reads and writes, buffer overflows, and use‑after‑free scenarios (CWE‑119, CWE‑125, CWE‑416, CWE‑787, CWE‑825). The fault can trigger application crashes, and if the corruption is triggered correctly, it may allow an attacker to overwrite memory, potentially leading to arbitrary code execution or data leakage. The vulnerability has been fixed by patching Mozilla Firefox to version 152 or the ESR 140.12 branch and Mozilla Thunderbird to version 152 or the ESR 140.12 branch.
Affected Systems
The security flaw affects Mozilla Firefox versions 152 and the ESR 140.12 branch, as well as Mozilla Thunderbird versions 152 and the ESR 140.12 branch. No other product versions are listed as vulnerable.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity impact. The EPSS score of less than 1 percent suggests that, as of the time of assessment, the likelihood of exploitation is very low. The vulnerability is not present in the CISA Known Exploited Vulnerabilities catalog. The attack vector is not explicitly detailed in the advisory; however, based on the nature of the bug, it is inferred that the vulnerability could be triggered by malformed data received during normal operation, potentially allowing remote exploitation in environments where the affected applications process untrusted input.
OpenCVE Enrichment
Debian DLA
Debian DSA