CVE-2025-9179Improper Restriction of Operations within the Bounds of a Memory Buffer in Mozilla Firefox

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-20Improper Input Validation15 documents9 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 69.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedAug 19
Latest updateFeb 2

Description

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDmozilla/firefox128.0128.14.0+3
NVDmozilla/thunderbird140.0140.2.0+2
Debianmozilla/thunderbird< 1:128.14.0esr-1~deb11u1+3

🔴Vulnerability Details

3
GHSA
GHSA-7379-6rf2-q4f9: An attacker was able to perform memory corruption in the GMP process which processes encrypted media2025-08-19
CVEList
Sandbox escape due to invalid pointer in the Audio/Video: GMP component2025-08-19
OSV
CVE-2025-9179: An attacker was able to perform memory corruption in the GMP process which processes encrypted media2025-08-19

📋Vendor Advisories

11
Ubuntu
Thunderbird vulnerabilities2026-02-02
Red Hat
thunderbird: firefox: Sandbox escape due to invalid pointer in the Audio/Video: GMP component2025-08-19
Debian
CVE-2025-9179: firefox - An attacker was able to perform memory corruption in the GMP process which proce...2025
Microsoft
It was found that Lynx doesn't parse the authority component of the URL correctly2016-12-13
Mozilla
Mozilla Foundation Security Advisory 2025-65: CVE-2025-9179
CVE-2025-9179 — Mozilla Firefox vulnerability | cvebase