CVE-2025-8035
Description
Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Firefox and Thunderbird ESR could allow arbitrary code execution; fixed in latest versions.
Vulnerability
CVE-2025-8035 describes multiple memory safety bugs in Firefox ESR 128.12, 140.0, Thunderbird ESR 128.12, 140.0, Firefox 140, and Thunderbird 140. These bugs include a heap-buffer-overflow in the nsFocusManager component, as demonstrated by a fuzzer-generated testcase in Bug 1975961 [1]. The root cause is memory corruption arising from improper handling of focus operations.
Exploitation
The vulnerabilities can be triggered by crafted web content or in browser-like contexts within Thunderbird. However, in the Thunderbird product, scripting is disabled when reading mail, which limits the attack surface [3][4]. Exploitation would require user interaction, such as visiting a malicious page or processing a specially crafted email in a context that allows scripting.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the vulnerable system. The official advisory rates the impact as high (CVSS 8.8) based on the potential for remote code execution [2].
Mitigation
Mozilla has released fixes in Firefox 141, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1 [2][3][4]. Users are strongly advised to update to the latest versions to mitigate these vulnerabilities.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <141.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <128.13.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <141.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <128.13.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.mozilla.org/security/advisories/mfsa2025-56/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-58/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-59/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-61/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-62/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-63/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvd
- lists.debian.org/debian-lts-announce/2025/07/msg00016.htmlnvd
News mentions
0No linked articles in our index yet.