Cyber Resilience

CVE-2025-8034

High

Published: 22 July 2025

Published
22 July 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0054 68.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-8034 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked in the top 31.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-8034 encompasses multiple memory safety bugs classified under CWE-119, affecting Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140, and Thunderbird 140. These bugs demonstrated evidence of memory corruption in some instances, which Mozilla presumes could be leveraged with sufficient effort to enable arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network with low attack complexity and no required privileges, though user interaction is necessary. Attackers could target end-users by luring them to malicious content, such as web pages or files processed by the browser or email client, potentially achieving arbitrary code execution within the affected application's sandboxed context and compromising confidentiality, integrity, and availability.

Mozilla has released patches addressing CVE-2025-8034 in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird ESR 128.13, and Thunderbird ESR 140.1. Security advisories MFSA 2025-56, MFSA 2025-57, MFSA 2025-58, and MFSA 2025-59, along with Bugzilla entry 1970422, provide further technical details and mitigation guidance, emphasizing immediate updates for affected systems.

EU & UK References

Vulnerability details

Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough…

more

effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 141, Firefox ESR 115.26, Firefox ESR 128.13, Firefox ESR 140.1, Thunderbird 141, Thunderbird 128.13, and Thunderbird 140.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Memory corruption RCE in browser/email client directly enables client-side exploitation via malicious web content or files requiring user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-8040Same product: Mozilla Firefox
CVE-2026-2773Same product: Mozilla Firefox
CVE-2025-8044Same product: Mozilla Firefox
CVE-2026-0879Same product: Mozilla Firefox
CVE-2026-2788Same product: Mozilla Firefox
CVE-2026-2778Same product: Mozilla Firefox
CVE-2025-9185Same product: Mozilla Firefox
CVE-2026-7324Same product: Mozilla Firefox
CVE-2026-0891Same product: Mozilla Firefox
CVE-2026-6752Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.26.0 · ≤ 141.0 · 128.0 — 128.13.0
mozilla
thunderbird
≤ 128.13.0 · ≤ 141.0 · 140.0 — 140.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventrecover

Mandates timely flaw remediation through vulnerability scanning, patching, and updates, directly addressing the patched memory safety bugs in affected Firefox and Thunderbird versions.

prevent

Implements memory protection safeguards like ASLR and DEP to prevent exploitation of memory corruption bugs leading to arbitrary code execution.

detect

Requires vulnerability scanning to identify systems running vulnerable Firefox ESR 115.25, 128.12, 140.0 or Thunderbird versions affected by this CVE.

References