CVE-2025-9184
Description
Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Firefox and Thunderbird before versions 142/140.2 could be exploited to achieve arbitrary code execution.
Vulnerability
Overview CVE-2025-9184 is a collection of memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141. The Mozilla Foundation Security Advisories confirm that these bugs show evidence of memory corruption, and with enough effort could be exploited to run arbitrary code [1][2][3][4]. The root cause lies in improper handling of memory operations within the browser and email client codebases.
Exploitation and
Attack Surface An attacker would need to lure a user to a malicious website or inject crafted content into a browser-like context. According to the advisories, these flaws cannot be exploited through email in Thunderbird because scripting is disabled when reading mail [2][4]. However, in a browser or browser-like environment, the attacker could trigger the memory corruption without authentication, potentially leading to code execution.
Impact
Successful exploitation would allow an attacker to execute arbitrary code in the context of the affected application, compromising confidentiality, integrity, and availability. The CVSS v3 score of 8.1 (High) reflects the serious nature of these vulnerabilities.
Mitigation
Mozilla has fixed these bugs in Firefox 142, Firefox ESR 140.2, Thunderbird 142, and Thunderbird 140.2 [1][2][3][4]. Users should update to these versions immediately.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <142.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.2.0
- (no CPE)range: =141
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <142.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.2.0
- (no CPE)range: =141
- Range: =140.1
- Range: =140.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2025-64/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-67/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-70/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-72/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken Link
News mentions
0No linked articles in our index yet.