Mozilla Foundation Security Advisory 2025-78

Security Vulnerabilities fixed in Thunderbird 140.3

Announced

September 16, 2025

Impact

high

Products

Thunderbird

Fixed in

Thunderbird 140.3

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2025-10527: Sandbox escape due to use-after-free in the Graphics: Canvas2D component

Reporter: Oskar L
Impact: high

References

Bug 1984825

#CVE-2025-10528: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component

Reporter: Oskar L
Impact: high

References

Bug 1986185

#CVE-2025-10529: Same-origin policy bypass in the Layout component

Reporter: Daniel Holbert
Impact: moderate

References

Bug 1970490

#CVE-2025-10532: Incorrect boundary conditions in the JavaScript: GC component

Reporter: Gary Kwong
Impact: moderate

References

Bug 1979502

#CVE-2025-10533: Integer overflow in the SVG component

Reporter: Andrew Creskey
Impact: moderate

References

Bug 1980788

#CVE-2025-10536: Information disclosure in the Networking: Cache component

Reporter: Ibuki Sato
Impact: low

References

Bug 1981502

#CVE-2025-10537: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

Reporter: Andrew McCreight and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

About Mozilla

The Mozilla Manifesto

Get Involved

Blog