Out of Bounds Read and Write Vulnerability in Mozilla Firefox and Thunderbird
CVE-2025-11709

9.8CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-11709?

A vulnerability exists in Mozilla Firefox and Thunderbird that enables a compromised web process to initiate out-of-bounds reads and writes within a more privileged process. This risk is introduced through manipulated WebGL textures, allowing attackers to bypass security measures. The affected versions include Firefox versions below 144, specific Firefox ESR versions below 115.29 and 140.4, as well as Thunderbird versions below 144 and 140.4. Users should ensure they are running the latest versions to mitigate this potential threat.

Affected Version(s)

Firefox < 144

Firefox ESR < 115.29

Firefox ESR < 140.4

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1989127

https://www.mozilla.org/security/advisories/mfsa2025-81/

https://www.mozilla.org/security/advisories/mfsa2025-82/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Oct 13, 2025

Credit

Oskar L

JSON