Mozilla Foundation Security Advisory 2025-78

Security Vulnerabilities fixed in Thunderbird 140.3

Announced
September 16, 2025
Impact
high
Products
Thunderbird
Fixed in
  • Thunderbird 140.3

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

#CVE-2025-10527: Sandbox escape due to use-after-free in the Graphics: Canvas2D component

Reporter
Oskar L
Impact
high
References

#CVE-2025-10528: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component

Reporter
Oskar L
Impact
high
References

#CVE-2025-10529: Same-origin policy bypass in the Layout component

Reporter
Daniel Holbert
Impact
moderate
References

#CVE-2025-10532: Incorrect boundary conditions in the JavaScript: GC component

Reporter
Gary Kwong
Impact
moderate
References

#CVE-2025-10533: Integer overflow in the SVG component

Reporter
Andrew Creskey
Impact
moderate
References

#CVE-2025-10536: Information disclosure in the Networking: Cache component

Reporter
Ibuki Sato
Impact
low
References

#CVE-2025-10537: Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

Reporter
Andrew McCreight and the Mozilla Fuzzing Team
Impact
high
Description

Memory safety bugs present in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References