CVE-2025-14332
Description
Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146 and Thunderbird 146.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Firefox 145 and Thunderbird 145 had multiple memory safety bugs that could potentially allow arbitrary code execution; fixed in version 146.
Overview
CVE-2025-14332 is a catch-all identifier for multiple memory safety bugs present in Firefox 145 and Thunderbird 145. The official description notes that some of these bugs showed evidence of memory corruption and that with enough effort they could have been exploited to run arbitrary code [1][2]. The vulnerabilities were fixed in Firefox 146 and Thunderbird 146.
Attack
Surface and Exploitation
These flaws exist in various components across both products, including the JavaScript engine, WebRTC, graphics, and networking subsystems. In Thunderbird, exploitation is severely constrained because scripting is disabled when reading email, so these bugs are primarily a risk in browser or browser-like contexts. In Firefox, an attacker would need to entice a user to a specially crafted web page to trigger memory corruption [1][2].
Impact
Successful exploitation could allow an attacker to execute arbitrary code in the context of the affected application, leading to a complete compromise of the user's system. The vulnerabilities are assessed as high severity (CVSS 7.3), reflecting the potential for code execution without authentication [1][2].
Mitigation
Mozilla addressed these issues in Firefox 146 and Thunderbird 146, released on December 9, 2025 [1][2]. Users should update to the latest versions immediately. No workarounds are mentioned, and the vulnerabilities are not known to be exploited in the wild.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <146.0
- (no CPE)range: =145
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <146.0
- (no CPE)range: =145
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mozilla.org/security/advisories/mfsa2025-92/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-95/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken LinkIssue Tracking
News mentions
0No linked articles in our index yet.