Security Vulnerabilities fixed in Thunderbird 149.0.2 — Mozilla

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Thunderbird 140.9 — Mozilla

A malicious mail server could send malformed strings with negative lengths, causing the parser to read memory outside the buffer. If a mail server or connection to a mail server were compromised, an attacker could cause the parser to malfunction, potentially crashing Thunderbird or leaking...

Security Vulnerabilities fixed in Firefox 148 — Mozilla

Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7,...

Security Vulnerabilities fixed in Firefox ESR 140.8 — Mozilla

Memory safety bugs present in Firefox ESR 140.7, Thunderbird ESR 140.7, Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in...

Security Vulnerabilities fixed in Firefox for iOS 147.4 — Mozilla

Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains...

Security Vulnerabilities fixed in Firefox for iOS 147.2.1 — Mozilla

Malicious scripts that interrupt new tab page loading could cause desynchronization between the address bar and page content, allowing the attacker to spoof arbitrary HTML under a trusted domain...

Security Vulnerabilities fixed in Firefox ESR 115.31 — Mozilla

CVE-2025-14322: Sandbox escape due to incorrect boundary conditions in the Graphics: CanvasWebGL component Reporter Oskar L Impact high References Bug 1996473 CVE-2025-14323: Privilege escalation in the DOM: Notifications component Reporter tiebuchen Impact high References Bug 1996555...

Security Vulnerabilities fixed in Thunderbird 146 — Mozilla

Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5,...

Security Vulnerabilities fixed in Firefox ESR 115.30 — Mozilla

CVE-2025-13012: Race condition in the Graphics component Reporter Irvan Kurniawan Impact high References Bug 1991458 CVE-2025-13013: Mitigation bypass in the DOM: Core & HTML component Reporter Masato Kinugawa Impact moderate References Bug 1991945 CVE-2025-13014: Use-after-free in the Audio/Vide...

Security Vulnerabilities fixed in Thunderbird 140.3 — Mozilla

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox ESR 115.28 — Mozilla

CVE-2025-10533: Integer overflow in the SVG component Reporter Andrew Creskey Impact moderate References Bug 1980788...

Security Vulnerabilities fixed in Firefox ESR 128.14 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Uninitialized memory ...

Security Vulnerabilities fixed in Firefox ESR 115.27 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Memory safety bugs...

Security Vulnerabilities fixed in Thunderbird 140.2 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Uninitialized memory ...

Security Vulnerabilities fixed in Firefox ESR 140.1 — Mozilla

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...

Security Vulnerabilities fixed in Thunderbird 139.0.2 — Mozilla

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data e.g. using /dev/urandom on Linux or to...

Security Vulnerabilities fixed in Thunderbird 128.11.1 — Mozilla

A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data e.g. using /dev/urandom on Linux or to...

Security Vulnerabilities fixed in Firefox for iOS 139 — Mozilla

Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client...

Security Vulnerabilities fixed in Firefox ESR 128.6 — Mozilla

The WebChannel API, which is used to transport various information across processes, did not check the sending principal but rather accepted the principal being sent. This could have led to privilege escalation attacks. Assuming a controlled failed memory allocation, an attacker could have caused...

Security Vulnerabilities fixed in Thunderbird 140.12 — Mozilla

Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in...

Security Vulnerabilities fixed in Thunderbird 140.10.1 — Mozilla

Memory safety bugs present in Thunderbird ESR 140.10.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Thunderbird ESR 140.10.0 and...

Security Vulnerabilities fixed in Firefox ESR 115.34.1 — Mozilla

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox ESR 140.9.1 — Mozilla

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Thunderbird 140.9.1 — Mozilla

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 148.0.2 — Mozilla

Memory safety bugs present in Firefox 148.0.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 147.0.4, ESR 140.7.1, and ESR 115.32.1 — Mozilla

CVE-2026-2447: Heap buffer overflow in libvpx Reporter jayjayjazz Impact high References Bug 2014390...

Security Vulnerabilities fixed in Thunderbird 147.0.1 — Mozilla

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If...

Security Vulnerabilities fixed in Thunderbird 140.7.1 — Mozilla

When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If...

Security Vulnerabilities fixed in Firefox 146 — Mozilla

Memory safety bugs present in Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5,...

Security Vulnerabilities fixed in Firefox ESR 140.6 — Mozilla

Memory safety bugs present in Firefox ESR 140.5, Thunderbird ESR 140.5, Firefox 145 and Thunderbird 145. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox ESR 140.5 — Mozilla

CVE-2025-13012: Race condition in the Graphics component Reporter Irvan Kurniawan Impact high References Bug 1991458 CVE-2025-13016: Incorrect boundary conditions in the JavaScript: WebAssembly component Reporter Igor Morgenstern Impact high References Bug 1992130 CVE-2025-13017: Same-origin poli...

Security Vulnerabilities fixed in Firefox 144.0.2 — Mozilla

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox...

Security Vulnerabilities fixed in Firefox ESR 140.4 — Mozilla

Use-after-free in MediaTrackGraphImpl::GetInstance A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. A compromised web process using malicious IPC messages could have caused the privileged browser process to...

Security Vulnerabilities fixed in Firefox 143.0.3 — Mozilla

CVE-2025-11152: Sandbox escape due to integer overflow in the Graphics: Canvas2D component Reporter Oskar L Impact high References Bug 1987246 CVE-2025-11153: JIT miscompilation in the JavaScript Engine: JIT component Reporter Nan Wang Impact high References Bug 1987481...

Security Vulnerabilities fixed in Firefox for iOS 143.1 — Mozilla

Cookie storage for non-HTML temporary documents was being shared incorrectly with normal browsing content, allowing information from private tabs to escape Incognito mode even after the user closed all tabs...

Security Vulnerabilities fixed in Firefox ESR 140.2 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Uninitialized memory ...

Security Vulnerabilities fixed in Firefox 142 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Uninitialized memory ...

Security Vulnerabilities fixed in Thunderbird 142 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Uninitialized memory ...

Security Vulnerabilities fixed in Focus for iOS 142 — Mozilla

Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS...

Security Vulnerabilities fixed in Thunderbird 128.14 — Mozilla

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. Same-origin policy bypass in the Graphics: Canvas2D component. Uninitialized memory ...

Security Vulnerabilities fixed in Thunderbird 128.13 — Mozilla

On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. On arm64, a WASM brtable instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrec...

Security Vulnerabilities fixed in Thunderbird 128.12 — Mozilla

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. Th...

Security Vulnerabilities fixed in Thunderbird ESR 128.9.2 — Mozilla

Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validate...

Security Vulnerabilities fixed in Firefox 152 — Mozilla

Memory safety bugs present in Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11,...

Security Vulnerabilities fixed in Firefox ESR 140.12 — Mozilla

Memory safety bugs present in Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in...

Security Vulnerabilities fixed in Focus for iOS / Klar 151.3.1 — Mozilla

CVE-2026-11799: UXSS in Focus for iOS / Klar Webkit navigation Reporter Renwa Hiwa Impact high References Bug 1975667...

Security Vulnerabilities fixed in Firefox ESR 140.7 — Mozilla

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Firefox 147 — Mozilla

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. Memory safety bugs present in...

Security Vulnerabilities fixed in Firefox 146.0.1 — Mozilla

Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code...

Security Vulnerabilities fixed in Thunderbird 140.5 — Mozilla

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. CVE-2025-13012: Race condition in the Graphics component Reporter Irvan Kurniawan Impact high...