CVE-2025-1937
Memory safety bugs fixed in Firefox 136, Thunderbird 136, Firefox ESR 115.21, Firefox ESR 128.8, and Thunderbird 128.8
In short
Firefox and Thunderbird contained memory safety bugs that could allow attackers to crash the application or potentially run malicious code if exploited. Updating to the latest version fixes these vulnerabilities.
Technical detail
Memory safety vulnerabilities (CWE-1260) in Firefox 135, Thunderbird 135, and ESR versions allowed arbitrary code execution through memory corruption. No user interaction is required beyond opening a malicious webpage or email attachment; the bugs reside in the browser/email client's core memory management. Fixed in Firefox 136, Firefox ESR 115.21/128.8, and Thunderbird 136/128.8.
Summary generated and translated by AI from the official description.
Memory safety bugs present in Firefox 135, Thunderbird 135, Firefox ESR 115.20, Firefox ESR 128.7, and Thunderbird 128.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1938471%2C1940716https://lists.debian.org/debian-lts-announce/2025/03/msg00006.htmlhttps://www.mozilla.org/security/advisories/mfsa2025-14/https://www.mozilla.org/security/advisories/mfsa2025-15/https://www.mozilla.org/security/advisories/mfsa2025-16/https://www.mozilla.org/security/advisories/mfsa2025-17/https://www.mozilla.org/security/advisories/mfsa2025-18/http://www.openwall.com/lists/oss-security/2025/03/10/6