CVE-2025-4091
Description
Memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple memory safety bugs in Firefox and Thunderbird could allow arbitrary code execution; fixed in version 138 and ESR 128.10.
CVE-2025-4091 describes memory safety bugs present in Firefox 137, Thunderbird 137, Firefox ESR 128.9, and Thunderbird 128.9. These bugs showed evidence of memory corruption, suggesting that with enough effort they could be exploited to run arbitrary code. The root cause involves unspecified memory corruption issues within the affected software [1][2][3][4].
The exploitation vectors are not detailed, but such memory safety bugs are typically triggered by processing malicious content, such as visiting a crafted webpage or opening a specially designed email in Thunderbird. No additional privileges are required; the vulnerability can be exploited by a remote attacker without authentication.
Successful exploitation could allow an attacker to execute arbitrary code on the victim's system, potentially leading to full compromise of the affected application and the underlying operating system.
Mozilla has addressed these vulnerabilities in Firefox 138, Firefox ESR 128.10, Thunderbird 138, and Thunderbird 128.10. Users are strongly advised to update to these versions as soon as possible to protect against potential attacks [1][2][3][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <138.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <128.10
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <138.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <128.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2025-28/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-29/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-31/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-32/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken Link
- lists.debian.org/debian-lts-announce/2025/05/msg00024.htmlnvd
News mentions
0No linked articles in our index yet.