CVE-2025-14328
Description
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A privilege escalation vulnerability in the Netmonitor component of Firefox and Thunderbird allows an attacker to gain elevated privileges, patched in Firefox 146, ESR 140.6, and Thunderbird 146/140.6.
Vulnerability
Overview
CVE-2025-14328 is a privilege escalation vulnerability in the escalation vulnerability in the Netmonitor component of Mozilla Firefox and Thunderbird. The root cause is a flaw in the Netmonitor component that allows an attacker to escalate privileges within the application [1][2]. The vulnerability was reported by Ameen Basha M K and has been assigned a high severity rating with a CVSS v3 score of 8.8 [1][2].
Exploitation and
Attack Surface
The vulnerability can be exploited in browser or browser-like contexts, but in the Thunderbird product, scripting is disabled when reading email, which prevents exploitation through email alone [1][3]. However, in Firefox or other browser contexts, an attacker could potentially trigger the privilege escalation by convincing a user to visit a malicious page or by exploiting another vulnerability to execute code in the browser's context [1][2].
Impact
Successful exploitation of this vulnerability could allow an attacker to gain elevated privileges within the affected application, potentially leading to further compromise of the system [1][2]. The impact is considered high, and the vulnerability is part of a set of multiple security fixes released by Mozilla on December 9, 2025 [1][1][2].
Mitigation
Mozilla has addressed this vulnerability in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6 [1][2][3][4]. Users are strongly advised to update their software to the latest versions to mitigate the risk. No workarounds are mentioned in the advisories.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <146.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.6.0
- (no CPE)range: <146
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <146.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.6.0
- (no CPE)range: <146
- Range: <140.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2025-92/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-94/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-95/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-96/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdIssue TrackingPermissions Required
News mentions
0No linked articles in our index yet.