Search for vulnerabilities
Vulnerability details: VCID-bkak-uvkp-kqdf
Vulnerability ID VCID-bkak-uvkp-kqdf
Aliases CVE-2025-5268
Summary Memory safety bugs present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
System Score Found at
cvssv3 6.1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5268.json
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00029 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.0003 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
epss 0.00045 https://api.first.org/data/v1/epss?cve=CVE-2025-5268
cvssv3.1 6.5 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634
ssvc Track https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634
cvssv3.1 6.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2025-42
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2025-44
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2025-45
generic_textual critical https://www.mozilla.org/en-US/security/advisories/mfsa2025-46
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-42/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-42/
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-44/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-44/
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-45/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-45/
cvssv3.1 6.5 https://www.mozilla.org/security/advisories/mfsa2025-46/
ssvc Track https://www.mozilla.org/security/advisories/mfsa2025-46/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5268.json
https://api.first.org/data/v1/epss?cve=CVE-2025-5268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5268
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2368752 https://bugzilla.redhat.com/show_bug.cgi?id=2368752
buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
CVE-2025-5268 https://nvd.nist.gov/vuln/detail/CVE-2025-5268
mfsa2025-42 https://www.mozilla.org/en-US/security/advisories/mfsa2025-42
mfsa2025-42 https://www.mozilla.org/security/advisories/mfsa2025-42/
mfsa2025-44 https://www.mozilla.org/en-US/security/advisories/mfsa2025-44
mfsa2025-44 https://www.mozilla.org/security/advisories/mfsa2025-44/
mfsa2025-45 https://www.mozilla.org/en-US/security/advisories/mfsa2025-45
mfsa2025-45 https://www.mozilla.org/security/advisories/mfsa2025-45/
mfsa2025-46 https://www.mozilla.org/en-US/security/advisories/mfsa2025-46
mfsa2025-46 https://www.mozilla.org/security/advisories/mfsa2025-46/
RHSA-2025:8293 https://access.redhat.com/errata/RHSA-2025:8293
RHSA-2025:8308 https://access.redhat.com/errata/RHSA-2025:8308
RHSA-2025:8341 https://access.redhat.com/errata/RHSA-2025:8341
RHSA-2025:8598 https://access.redhat.com/errata/RHSA-2025:8598
RHSA-2025:8599 https://access.redhat.com/errata/RHSA-2025:8599
RHSA-2025:8607 https://access.redhat.com/errata/RHSA-2025:8607
RHSA-2025:8608 https://access.redhat.com/errata/RHSA-2025:8608
RHSA-2025:8628 https://access.redhat.com/errata/RHSA-2025:8628
RHSA-2025:8629 https://access.redhat.com/errata/RHSA-2025:8629
RHSA-2025:8630 https://access.redhat.com/errata/RHSA-2025:8630
RHSA-2025:8631 https://access.redhat.com/errata/RHSA-2025:8631
RHSA-2025:8642 https://access.redhat.com/errata/RHSA-2025:8642
RHSA-2025:8756 https://access.redhat.com/errata/RHSA-2025:8756
RHSA-2025:9071 https://access.redhat.com/errata/RHSA-2025:9071
RHSA-2025:9072 https://access.redhat.com/errata/RHSA-2025:9072
RHSA-2025:9073 https://access.redhat.com/errata/RHSA-2025:9073
RHSA-2025:9074 https://access.redhat.com/errata/RHSA-2025:9074
RHSA-2025:9075 https://access.redhat.com/errata/RHSA-2025:9075
RHSA-2025:9076 https://access.redhat.com/errata/RHSA-2025:9076
RHSA-2025:9077 https://access.redhat.com/errata/RHSA-2025:9077
RHSA-2025:9155 https://access.redhat.com/errata/RHSA-2025:9155
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-5268.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-27T17:43:29Z/ Found at https://bugzilla.mozilla.org/buglist.cgi?bug_id=1950136%2C1958121%2C1960499%2C1962634
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-42/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-27T17:43:29Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-42/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-44/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-27T17:43:29Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-44/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-45/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-27T17:43:29Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-45/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://www.mozilla.org/security/advisories/mfsa2025-46/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-05-27T17:43:29Z/ Found at https://www.mozilla.org/security/advisories/mfsa2025-46/
Exploit Prediction Scoring System (EPSS)
Percentile 0.0645
EPSS Score 0.00029
Published At May 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-05-27T20:08:35.217677+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2025/mfsa2025-42.yml 36.0.0