VYPR
← All advisories
High severity8.1NVD Advisory· Published May 27, 2025· Updated Apr 13, 2026

CVE-2025-5268

CVE-2025-5268

Description

Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memory safety bugs in Firefox and Thunderbird could lead to memory corruption and arbitrary code execution; fixed in version 139 and ESR 128.11.

Vulnerability

Overview CVE-2025-5268 is a collection of memory safety bugs affecting Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. These bugs showed evidence of memory corruption, and with sufficient effort could be exploited to run arbitrary code [1][2].

Attack

Vector The vulnerabilities are present in browser and browser-like contexts. In Thunderbird, scripting is disabled when reading mail, so these flaws cannot be exploited through email, but they remain a risk in other contexts [1][3].

Impact

Successful exploitation could lead to memory corruption and arbitrary code execution, potentially allowing an attacker to take control of the affected system [1][2].

Mitigation

Mozilla has addressed these issues in Firefox 139, Firefox ESR 128.11, Thunderbird 139, and Thunderbird 128.11. Users are advised to update to these versions [1][2][3][4].

References
  1. Security Vulnerabilities fixed in Thunderbird 139
  2. Security Vulnerabilities fixed in Firefox 139
  3. Security Vulnerabilities fixed in Thunderbird 128.11
  4. Security Vulnerabilities fixed in Firefox ESR 128.11

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <139.0
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <128.11.0
  • Mozilla Corporation/Thunderbird
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
    Range: <128.11.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.