Impact
The vulnerability involves memory safety bugs that can corrupt memory during processing of data in Mozilla Firefox and Thunderbird browsers. The bugs are facilitated by a buffer overflow flaw (CWE‑120) and by improper validation of memory allocations (CWE‑825). When successfully exploited, an attacker could potentially execute arbitrary code with the privileges of the user running the browser. The description notes that with sufficient effort some of these bugs could have been exploited to run arbitrary code, indicating a high impact if exploitation is achieved.
Affected Systems
Mozilla Firefox and Mozilla Thunderbird are affected, specifically the following builds: Firefox ESR 115.36, Firefox ESR 140.11, Firefox 151, Thunderbird ESR 140.11, and Thunderbird 151. These vulnerabilities were fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12. Users running any of the listed affected versions should check for and install the corresponding patched releases.
Risk and Exploitability
The CVSS score of 8.1 indicates that this is a high‑severity condition. The EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves delivering crafted content or files that trigger the memory corruption while the browser parses them; therefore user interaction or the processing of untrusted data is likely required.
OpenCVE Enrichment
Debian DLA
Debian DSA