CVE-2025-8034
Description
Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Firefox and Thunderbird could allow arbitrary code execution via memory corruption, fixed in recent versions.
Vulnerability
Description CVE-2025-8034 is a collection of memory safety bugs affecting multiple versions of Firefox and Thunderbird. Some of these bugs exhibited memory corruption, and it is presumed that with enough effort they could be exploited to run arbitrary code [2]. One specific bug identified is a data race in PLDHashTable::MakeEntryHandle, discovered using ThreadSanitizer [1].
Exploitation
To trigger the data race, an attacker could lure a victim to a malicious website; the race was found by visiting a live website with a ThreadSanitizer build [1]. The general class of memory corruption bugs may allow an attacker to corrupt memory and execute arbitrary code, although successful exploitation may require significant effort. In the Thunderbird product, scripting is disabled when reading email, limiting exploitation to browser or browser-like contexts [3][4].
Impact
If successfully exploited, an attacker could achieve arbitrary code execution in the context of the affected application, potentially leading to full system compromise.
Mitigation
Mozilla has addressed these issues in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1 [2][3][4]. Users are advised to update their software to the latest versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <141.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.26.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <141.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <128.13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.mozilla.org/security/advisories/mfsa2025-56/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-57/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-58/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-59/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-61/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-62/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-63/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvd
- lists.debian.org/debian-lts-announce/2025/07/msg00016.htmlnvd
News mentions
0No linked articles in our index yet.