CVE-2025-10537
Description
Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Firefox and Thunderbird before versions 143/140.3 could allow arbitrary code execution via memory corruption.
Vulnerability
Overview
CVE-2025-10537 is a collection of memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142, and Thunderbird 142. These bugs showed evidence of memory corruption, and Mozilla presumes that with enough effort some could be exploited to run arbitrary code [1][3][4]. The vulnerability was reported by Andrew McCreight and the Mozilla Fuzzing Team [3][4].
Attack
Vector and Prerequisites
Exploitation would require an attacker to craft web content that triggers the memory safety flaw. In the Thunderbird product, scripting is disabled when reading mail, so these flaws cannot be exploited through email directly, but they remain a risk in browser or browser-like contexts [2][3]. No additional authentication or network position is required beyond the ability to serve malicious content to serve malicious content to a vulnerable browser.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the victim's system, potentially leading to full compromise of the affected application and underlying operating system. The CVSS v3 base score is 8.8 (High) [1].
Mitigation
Mozilla has fixed these bugs in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3 [1][2][3][4]. Users should update to these versions or later to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <143.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.3.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <143.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- www.mozilla.org/security/advisories/mfsa2025-73/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-75/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-77/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-78/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdIssue Tracking
- lists.debian.org/debian-lts-announce/2025/09/msg00020.htmlnvd
- lists.debian.org/debian-lts-announce/2025/09/msg00026.htmlnvd
News mentions
0No linked articles in our index yet.