CVE-2025-1943 — Heap-based Buffer Overflow in Mozilla Firefox

CWE-122 — Heap-based Buffer Overflow CWE-120 — Classic Buffer Overflow CWE-787 — Out-of-bounds Write10 documents9 sources

Severity

8.2HIGHNVD

EPSS

0.4%

top 41.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedMar 4

Latest updateFeb 2

Description

Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 136 and Thunderbird 136.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HExploitability: 3.9 | Impact: 4.2

Affected Packages4 packages

▶NVDmozilla/firefox< 136.0

▶NVDmozilla/thunderbird< 136.0

▶Ubuntumozilla/firefox< 136.0+build3-0ubuntu0.20.04.1

▶Ubuntumozilla/thunderbird< 1:140.7.1+build1-0ubuntu0.22.04.1

🔴Vulnerability Details

CVEList

Memory safety bugs fixed in Firefox 136 and Thunderbird 136↗2025-03-04

▶

GHSA

GHSA-3g8j-6hfm-wj7g: Memory safety bugs present in Firefox 135 and Thunderbird 135↗2025-03-04

▶

OSV

CVE-2025-1943: Memory safety bugs present in Firefox 135 and Thunderbird 135↗2025-03-04

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

firefox: thunderbird: Memory safety bugs fixed in Firefox 136 and Thunderbird 136↗2025-03-04

▶

Debian

CVE-2025-1943: firefox - Memory safety bugs present in Firefox 135 and Thunderbird 135. Some of these bug...↗2025

▶

Microsoft

A flaw out of bounds memory write in the Linux kernel UDF file system functionality was found in the way user triggers some file operation which triggers udf_write_fi(). A local user could use this fl↗2022-06-14

▶

Mozilla

Mozilla Foundation Security Advisory 2025-14: CVE-2025-1943↗

▶