PT-2025-46356 · Mozilla+8 · Firefox Esr+9
Aisle Research
+1
·
Published
2025-11-11
·
Updated
2026-02-11
·
CVE-2025-13016
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Mozilla Firefox versions prior to 145
Mozilla Firefox ESR versions prior to 140.5
Thunderbird versions prior to 145
Thunderbird versions prior to 140.5
Mozilla Firefox ESR versions prior to 140.5.0esr-1deb11u1
Mozilla Firefox ESR versions prior to 140.5.0esr-1deb12u1
Mozilla Firefox ESR versions prior to 140.5.0esr-1deb13u1
Thunderbird versions prior to 1:140.5.0esr-1deb12u1
Thunderbird versions prior to 1:140.5.0esr-1deb13u1
Thunderbird versions prior to 1:140.5.0esr-1deb11u1
Description
A flaw exists in the JavaScript WebAssembly component of Firefox and Thunderbird due to incorrect boundary conditions, leading to a stack buffer overflow. This vulnerability could allow a remote attacker to execute arbitrary code via a malicious webpage. Approximately 180 million users may be affected. The issue is related to the WebAssembly garbage collection and involves faulty pointer math. Exploitation could lead to arbitrary code execution, session hijacking, or full system compromise.
Recommendations
Upgrade Firefox to version 145 or later.
Upgrade Firefox ESR to version 140.5 or later.
Upgrade Thunderbird to version 145 or later.
Upgrade Thunderbird to version 140.5 or later.
Upgrade Firefox ESR to version 140.5.0esr-1deb11u1 or later.
Upgrade Firefox ESR to version 140.5.0esr-1deb12u1 or later.
Upgrade Firefox ESR to version 140.5.0esr-1deb13u1 or later.
Upgrade Thunderbird to version 1:140.5.0esr-1deb12u1 or later.
Upgrade Thunderbird to version 1:140.5.0esr-1deb13u1 or later.
Upgrade Thunderbird to version 1:140.5.0esr-1deb11u1 or later.
Fix
RCE
Buffer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Centos
Firefox
Firefox Esr
Linuxmint
Red Hat
Rocky Linux
Suse
Ubuntu