CVE-2025-9185
Description
Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memory safety bugs in Firefox and Thunderbird could allow arbitrary code execution; fixed in version 142 and ESR updates.
Vulnerability
Overview
CVE-2025-9185 is a collection of memory safety bugs present in multiple versions of Firefox and Thunderbird, including Firefox ESR 115.26, 128.13, 140.1, Firefox 141, and corresponding Thunderbird ESR and Thunderbird releases. The official description states that these bugs showed evidence of memory corruption, and with enough effort, some could be exploited to run arbitrary code [1]. The vulnerability was fixed in Firefox 142, Firefox ESR 115.27, 128.14, 140.2, Thunderbird 142, and Thunderbird ESR 128.14 and 140.2 [1].
Exploitation and
Attack Surface
The memory safety bugs are present in the browser and mail client components, but are not individually detailed in the advisory. For Thunderbird, the advisory notes that these flaws cannot be exploited through email because scripting is disabled when reading mail, but they remain risks in browser or browser-like contexts [2][4]. The attack surface is primarily through web content, where an attacker could craft a malicious webpage could trigger the memory corruption.
Impact
Successful exploitation could allow an attacker to achieve arbitrary code execution in the context of the affected application. Given the high severity (CVSS 8.1) and the potential for memory corruption, this could lead to full compromise of the user's system, including data theft, installation of malware, or further lateral movement.
Mitigation
Mozilla has released patched versions for all affected products. Users should update to Firefox 142, Firefox ESR 115.27/128.14/140.2, Thunderbird 142, or Thunderbird ESR 128.14/140.2 as applicable [1][2][3][4]. No workarounds are available; updating.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <142.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.27.0
- (no CPE)range: <=141
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <142.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <128.14.0
- (no CPE)range: <=141
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.mozilla.org/security/advisories/mfsa2025-64/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-65/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-66/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-67/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-70/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-71/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2025-72/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken Link
- lists.debian.org/debian-lts-announce/2025/08/msg00016.htmlnvd
- lists.debian.org/debian-lts-announce/2025/08/msg00018.htmlnvd
News mentions
0No linked articles in our index yet.