Impact
Incorrect boundary conditions in the Internationalization component can lead to a buffer overflow (CWE‑119) and integer overflow (CWE‑131). If triggered, an attacker may cause the application to crash or, in the worst case, execute arbitrary code on the affected host. The weakness arises from improper handling of internationalized input, which can corrupt memory if supplied data exceeds expected limits or when size calculations fail.
Affected Systems
The vulnerability affects Mozilla Firefox ESR and Thunderbird installations that are older than the versions where the issue was fixed: Firefox ESR 140.12, Firefox ESR 115.37, and Thunderbird 140.12. Any user running earlier ESR releases of either product without these specific patches is vulnerable.
Risk and Exploitability
The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of real‑world exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a maliciously crafted internationalized string delivered via a web page or email; the exact method of exploitation is not detailed in the advisory, so this inference is made from the nature of the weakness.
OpenCVE Enrichment
Debian DLA
Debian DSA