CVE-2025-14323
Description
Privilege escalation in the DOM: Notifications component. This vulnerability was fixed in Firefox 146, Firefox ESR 115.31, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Privilege escalation in Mozilla's DOM Notifications component allows attackers to gain elevated privileges in Firefox and Thunderbird.
Vulnerability
Overview
CVE-2025-14323 is a privilege escalation vulnerability in the DOM: Notifications component of Mozilla Firefox and Thunderbird. The flaw allows an attacker to bypass security restrictions and obtain higher privileges within the browser or application context. The root cause lies in improper handling of notifications, leading to an unexpected privilege escalation [1][2].
Exploitation
The vulnerability can be exploited by a malicious web page in Firefox, or in Thunderbird when scripting is enabled. However, in Thunderbird, scripting is disabled by default when reading mail, so exploitation through email is not possible [1]. The attack vector likely involves a crafted notification or interaction with the notification system, though specific trigger details are not publicly disclosed.
Impact
Successful exploitation could allow an attacker to gain elevated privileges, potentially leading to further compromise such as sandbox escape or arbitrary code execution, depending on the affected version and context. The CVSS v3 score is 8.8, indicating high severity.
Mitigation
Mozilla has fixed this issue in Firefox 146, Firefox ESR 140.6, Firefox ESR 115.31, Thunderbird 146, and Thunderbird 140.6. Users are advised to update to the latest versions as soon as possible. No workarounds are currently available [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <146.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.31.0
- (no CPE)range: <146
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <146.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.6.0
- (no CPE)range: <146
- Range: <115.31
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2025-92/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-93/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-94/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-95/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-96/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPermissions Required
News mentions
0No linked articles in our index yet.