CVE-2025-8040
Description
Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Firefox 140 and Thunderbird 140 could be exploited to run arbitrary code; fixed in versions 141 and 140.1.
Vulnerability
Overview
CVE-2025-8040 is a collection of memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140, and Thunderbird 140. Official advisories from Mozilla state that these bugs showed evidence of memory corruption, and with enough effort some could have been exploited to run arbitrary code [1][2][3][4]. The specific underlying issues include, among others, a JavaScript JIT compiler issue on 64-bit platforms where only 32 bits of a 64-bit return value were written to the stack (CVE-2025-8027), and a WebAssembly branch table truncation on arm64 (CVE-2025-8028) [1][4].
Exploitation and
Attack Surface
To exploit these memory corruption bugs, an attacker would typically need to craft a malicious web page or email (though scripting is disabled by default in Thunderbird when reading mail, reducing the email attack surface) [2][3]. The vulnerabilities are triggered during normal processing of JavaScript or Wasm content, such as through a compromised website or an embedded ad. No special authentication is required beyond enticing the user to visit the malicious content. The JIT and Wasm flaws require specific platform conditions (64-bit or arm64) but are present across all affected products [1][3].
Impact
Successful exploitation of these memory safety bugs could allow an attacker to execute arbitrary code with the privileges of the browser or mail client user. This means the attacker could potentially read, modify, or delete local files, install malware, or pivot to other systems on the network. The impact is rated High with a CVSS v3 score of 8.8, reflecting the combination of network attack vector, low complexity, and high impact on confidentiality, integrity, and availability [1].
Mitigation and
Patches
Mozilla released fixed versions on July 22, 2025: Firefox 141, Firefox ESR 140.1, Thunderbird 141, and Thunderbird 140.1 [1][2][3][4]. Users and administrators should update to these versions immediately. No workarounds are documented; applying the patches is the only reliable mitigation. The vulnerabilities are not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <141.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.1
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <141.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2025-56/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-59/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-61/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-63/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvd
News mentions
0No linked articles in our index yet.