CVE-2025-11710

Published: Oct 14, 2025Modified: Apr 13, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A compromised web process using malicious IPC messages could have caused the privileged browser process to reveal blocks of its memory to the compromised process. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

Affected (5)

Products: Mozilla: Firefox, Thunderbird

2 products

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Mozilla Firefox	Before 144.0
Mozilla Firefox	Before 115.29.0
Mozilla Firefox	From 116.0 to 140.4.0
Mozilla Thunderbird	Before 140.4.0
Mozilla Thunderbird	From 141.0 to 144.0

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (8)

https://bugzilla.mozilla.org/show_bug.cgi?id=1989899

Source: security@mozilla.org

Issue TrackingPermissions Required

https://www.mozilla.org/security/advisories/mfsa2025-81/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-82/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-83/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-84/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-85/

Source: security@mozilla.org

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.