Impact
The reported bugs are classic memory safety violations, specifically buffer overrun or underrun weaknesses classified as CWE-119 and a data‑overlap or out‑of‑bounds write weakness classified as CWE-787. The description indicates that memory corruption was observed and that, with enough effort, the bugs could have been exploited to execute arbitrary code, which is the most severe impact on confidentiality, integrity, and availability.
Affected Systems
Vulnerabilities exist in Firefox ESR 140.11 and the non‑ESR release Firefox 151, as well as in Thunderbird ESR 140.11 and Thunderbird 151. The issue was corrected in Firefox 152 and the ESR branch 140.12, with the same updates applied to Thunderbird 152 and Thunderbird ESR 140.12. Any system that remains on one of the earlier releases is exposed.
Risk and Exploitability
The CVSS score of 8.1 signals a high severity vulnerability, while the EPSS score of less than 1 % indicates that exploitation is currently unlikely on a broad scale. The vulnerability is not listed in CISA’s KEV catalogue. The exploit path is not explicitly detailed in the advisory; it is inferred that an attacker would need to supply crafted input that triggers memory corruption, possibly through malicious content such as a web page or email, requiring user interaction. Because the vulnerability remains theoretically exploitable, organizations should consider the possibility of remote code execution as a risk.
OpenCVE Enrichment
Debian DLA
Debian DSA