CVE-2025-9179

An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mozillaCNA
---
---
CISA-ADPADP
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
VendorProductVersion
mozillafirefox
𝑥
< 115.27.0
mozillafirefox
𝑥
< 142.0
mozillafirefox
128.0 ≤
𝑥
< 128.14.0
mozillafirefox
140.0 ≤
𝑥
< 140.2.0
mozillathunderbird
𝑥
< 128.14.0
mozillathunderbird
𝑥
< 142.0
mozillathunderbird
140.0 ≤
𝑥
< 140.2.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
142.0-1
fixed
firefox-esr
bullseye
vulnerable
bullseye (security)
128.14.0esr-1~deb11u1
fixed
bookworm
vulnerable
bookworm (security)
128.14.0esr-1~deb12u1
fixed
trixie (security)
128.14.0esr-1~deb13u1
fixed
forky
vulnerable
trixie
vulnerable
sid
128.14.0esr-1
fixed
thunderbird
bullseye
vulnerable
bullseye (security)
vulnerable
bookworm
vulnerable
bookworm (security)
vulnerable
forky
vulnerable
trixie
vulnerable
sid
1:128.14.0esr-1
fixed
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://bugzilla.mozilla.org/show_bug.cgi?id=1979527
https://www.mozilla.org/security/advisories/mfsa2025-64/
https://www.mozilla.org/security/advisories/mfsa2025-65/
https://www.mozilla.org/security/advisories/mfsa2025-66/
https://www.mozilla.org/security/advisories/mfsa2025-67/
https://www.mozilla.org/security/advisories/mfsa2025-70/
https://www.mozilla.org/security/advisories/mfsa2025-71/
https://www.mozilla.org/security/advisories/mfsa2025-72/