CVE-2025-4093 - Vulnerability Details

Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Mozilla	Firefox Thunderbird
Redhat	Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
firefox-0:128.10.0-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:7506	2025-05-13T00:00:00Z
thunderbird-0:128.10.0-1.el10_0	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:7507	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
firefox-0:128.10.0-1.el7_9	cpe:/o:redhat:rhel_els:7	RHSA-2025:4751	2025-05-08T00:00:00Z
Red Hat Enterprise Linux 8
firefox-0:128.10.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:4458	2025-05-05T00:00:00Z
thunderbird-0:128.10.0-1.el8_10	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:4797	2025-05-12T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
firefox-0:128.10.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:7547	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_2	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:7693	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
firefox-0:128.10.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:7545	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:7691	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
firefox-0:128.10.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:7545	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2025:7691	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
firefox-0:128.10.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:7545	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2025:7691	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
firefox-0:128.10.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:7544	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_6	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:7690	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
firefox-0:128.10.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:7544	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_6	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:7690	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
firefox-0:128.10.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:7544	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_6	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:7690	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
firefox-0:128.10.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:7543	2025-05-14T00:00:00Z
thunderbird-0:128.10.0-1.el8_8	cpe:/a:redhat:rhel_eus:8.8	RHSA-2025:7689	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 9
firefox-0:128.10.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:4443	2025-05-05T00:00:00Z
thunderbird-0:128.10.0-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:4460	2025-05-05T00:00:00Z
firefox-0:128.10.0-1.el9_6	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:7428	2025-05-13T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
firefox-0:128.10.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:4753	2025-05-08T00:00:00Z
thunderbird-0:128.10.0-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:7692	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
firefox-0:128.10.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:4752	2025-05-08T00:00:00Z
thunderbird-0:128.10.0-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2025:7694	2025-05-15T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
firefox-0:128.10.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:4756	2025-05-08T00:00:00Z
thunderbird-0:128.10.0-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:7695	2025-05-15T00:00:00Z

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1894100
https://nvd.nist.gov/vuln/detail/CVE-2025-4093
https://www.cve.org/CVERecord?id=CVE-2025-4093
https://www.mozilla.org/security/advisories/mfsa2025-29/
https://www.mozilla.org/security/advisories/mfsa2025-32/

History

Wed, 14 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_eus:8.8 cpe:/a:redhat:rhel_tus:8.4 cpe:/a:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel Tus

Wed, 14 May 2025 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:enterprise_linux:10.0

Sat, 10 May 2025 03:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.4

Fri, 09 May 2025 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::*
Vendors & Products		Mozilla Mozilla firefox Mozilla thunderbird

Fri, 09 May 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s Redhat rhel Els Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:9.2 cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel E4s Redhat rhel Els Redhat rhel Eus

Mon, 05 May 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Fri, 02 May 2025 02:45:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10
Weaknesses		CWE-120
References		https://nvd.nist.gov/vuln/detail/CVE-2025-4093 https://www.cve.org/CVERecord?id=CVE-2025-4093
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 01 May 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird ESR < 128.10.	Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.

Tue, 29 Apr 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 29 Apr 2025 13:30:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird ESR < 128.10.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1894100 https://www.mozilla.org/security/advisories/mfsa2025-29/ https://www.mozilla.org/security/advisories/mfsa2025-32/

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-04-29T13:13:50.917Z

Updated: 2025-05-01T14:22:04.123Z

Reserved: 2025-04-29T13:13:50.246Z

Link: CVE-2025-4093

Vulnrichment

Updated: 2025-04-29T15:32:34.756Z

NVD

Status : Analyzed

Published: 2025-04-29T14:15:35.907

Modified: 2025-05-09T19:31:46.917

Link: CVE-2025-4093

Redhat

Severity : Important

Publid Date: 2025-04-29T13:13:50Z

Links: CVE-2025-4093 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-4093", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-04-29T13:13:50.246Z", "datePublished": "2025-04-29T13:13:50.917Z", "dateUpdated": "2025-05-01T14:22:04.123Z"}, "containers": {"cna": {"affected": [{"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "128.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "128.10", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10."}]}], "problemTypes": [{"descriptions": [{"description": "Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10", "lang": "en", "type": "text"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1894100", "name": "Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"}], "credits": [{"lang": "en", "value": "Andrew McCreight"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-05-01T14:22:04.123Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-29T15:16:24.376458Z", "id": "CVE-2025-4093", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T15:32:42.591Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-4093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-29T15:16:24.376458Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-29T15:32:34.756Z"}}], "cna": {"credits": [{"lang": "en", "value": "Andrew McCreight"}], "affected": [{"vendor": "Mozilla", "product": "Firefox ESR", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.10", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "128.10", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1894100", "name": "Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"}], "descriptions": [{"lang": "en", "value": "Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.", "supportingMedia": [{"type": "text/html", "value": "Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10"}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2025-05-01T14:22:04.123Z"}}}, "cveMetadata": {"cveId": "CVE-2025-4093", "state": "PUBLISHED", "dateUpdated": "2025-05-01T14:22:04.123Z", "dateReserved": "2025-04-29T13:13:50.246Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-29T13:13:50.917Z", "assignerShortName": "mozilla"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "3378E5EE-9ABF-444B-AA88-9EAF8D8058DE", "versionEndExcluding": "128.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "DC19822B-CC07-4C6F-BAAD-C7A9C4E73FA9", "versionEndExcluding": "128.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10."}, {"lang": "es", "value": "Error de seguridad de memoria presente en Firefox ESR 128.9 y Thunderbird 128.9. Este error mostr\u00f3 evidencia de corrupci\u00f3n de memoria y presumimos que, con suficiente esfuerzo, podr\u00eda haberse explotado para ejecutar c\u00f3digo arbitrario. Esta vulnerabilidad afecta a Firefox ESR < 128.10 y Thunderbird ESR < 128.10."}], "id": "CVE-2025-4093", "lastModified": "2025-05-09T19:31:46.917", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-29T14:15:35.907", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1894100"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-29/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-32/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7506", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "firefox-0:128.10.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7507", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "thunderbird-0:128.10.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:4751", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.10.0-1.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:4458", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.10.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-05-05T00:00:00Z"}, {"advisory": "RHSA-2025:4797", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.10.0-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-05-12T00:00:00Z"}, {"advisory": "RHSA-2025:7547", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.10.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7693", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.10.0-1.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7545", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7691", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7545", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7691", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7545", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7691", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.10.0-1.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7544", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7690", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7544", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7690", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7544", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7690", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.10.0-1.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:7543", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.10.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:7689", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.10.0-1.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:4443", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.10.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-05T00:00:00Z"}, {"advisory": "RHSA-2025:4460", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.10.0-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-05T00:00:00Z"}, {"advisory": "RHSA-2025:7428", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.10.0-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:4753", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.10.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:7692", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.10.0-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:4752", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.10.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:7694", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.10.0-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-05-15T00:00:00Z"}, {"advisory": "RHSA-2025:4756", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "firefox-0:128.10.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-08T00:00:00Z"}, {"advisory": "RHSA-2025:7695", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.10.0-1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-05-15T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: Memory safety bug fixed in Firefox ESR 128.10 and Thunderbird 128.10", "id": "2362915", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2362915"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-120", "details": ["Memory safety bug present in Firefox ESR 128.9, and Thunderbird 128.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have been exploited to run arbitrary code. This vulnerability affects Firefox ESR < 128.10 and Thunderbird < 128.10."], "name": "CVE-2025-4093", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-29T13:13:50Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-4093\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-4093\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1894100\nhttps://www.mozilla.org/security/advisories/mfsa2025-29/\nhttps://www.mozilla.org/security/advisories/mfsa2025-32/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object