CVE-2025-9181 — Use of Uninitialized Variable in Mozilla Firefox

CWE-457 — Use of Uninitialized Variable CWE-665 — Improper Initialization13 documents8 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 80.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird Mozilla Firefox

Timeline

PublishedAug 19

Latest updateFeb 2

Description

Uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 142, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDmozilla/firefox140.0 — 140.2.0+2

▶NVDmozilla/thunderbird140.0 — 140.2.0+2

▶Debianmozilla/thunderbird< 1:128.14.0esr-1~deb11u1+3

🔴Vulnerability Details

OSV

CVE-2025-9181: Uninitialized memory in the JavaScript Engine component↗2025-08-19

▶

CVEList

Uninitialized memory in the JavaScript Engine component↗2025-08-19

▶

GHSA

GHSA-4c9v-rqpw-wrj7: Uninitialized memory in the JavaScript Engine component↗2025-08-19

▶

📋Vendor Advisories

Ubuntu

Thunderbird vulnerabilities↗2026-02-02

▶

Red Hat

thunderbird: firefox: Uninitialized memory in the JavaScript Engine component↗2025-08-19

▶

Debian

CVE-2025-9181: firefox - Uninitialized memory in the JavaScript Engine component. This vulnerability affe...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-71: CVE-2025-9181↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-67: CVE-2025-9181↗

▶