{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10528", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-09-16T06:48:35.863Z", "datePublished": "2025-09-16T12:26:35.394Z", "dateUpdated": "2026-04-13T14:28:09.906Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.3", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "143", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.3", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "143", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3."}]}], "title": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-75/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-77/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-78/"}], "credits": [{"lang": "en", "value": "Oskar L"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:09.906Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-693", "lang": "en", "description": "CWE-693 Protection Mechanism Failure"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-09-17T18:02:06.261366Z", "id": "CVE-2025-10528", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-18T18:49:09.471Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00026.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00020.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T18:08:29.851Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00026.html"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00020.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T18:08:29.851Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-10528", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-17T18:02:06.261366Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693 Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-17T17:57:40.925Z"}}], "cna": {"title": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component", "credits": [{"lang": "en", "value": "Oskar L"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "140.3", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "143", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.3", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "143", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-75/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-77/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-78/"}], "descriptions": [{"lang": "en", "value": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.", "supportingMedia": [{"type": "text/html", "value": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:28:09.906Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10528", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:28:09.906Z", "dateReserved": "2025-09-16T06:48:35.863Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-09-16T12:26:35.394Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "277CA9C0-BD77-46D8-8191-F54598F7F47B", "versionEndExcluding": "140.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "6071B71C-B967-45B9-8CA4-1CB0A9E24D1A", "versionEndExcluding": "143.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A5AA31F-5E87-4759-9E8B-D12A91F10CFE", "versionEndExcluding": "140.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FA9EF30-CE04-4A16-8083-E3A773AF2AB8", "versionEndExcluding": "143.0", "versionStartIncluding": "141.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 143, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3."}], "id": "CVE-2025-10528", "lastModified": "2026-04-13T15:16:35.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-09-16T13:15:45.017", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1986185"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-73/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-75/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-77/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-78/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00020.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00026.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:16109", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "firefox-0:140.3.0-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-09-17T00:00:00Z"}, {"advisory": "RHSA-2025:16108", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:140.3.0-1.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-09-17T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component", "id": "2395755", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2395755"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-824", "details": ["No description is available for this CVE."], "name": "CVE-2025-10528", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-09-16T12:26:35Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-10528\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-10528\nhttps://www.mozilla.org/security/advisories/mfsa2025-75/#CVE-2025-10528\nhttps://www.mozilla.org/security/advisories/mfsa2025-78/#CVE-2025-10528"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-20T17:58:27.214234+00:00", "value": {"mitigation_remediation": ["Update Firefox to version\u202f143 or newer, or the ESR 140.3 release, to apply the official fix.", "Update Thunderbird to version\u202f143 or newer, or the ESR 140.3 release, to obtain the patch."], "summary": {"action": "Patch Immediately", "impact": "Sandbox escape that can allow code execution outside Firefox and Thunderbird"}, "threat_synthesis": {"affected_systems": "The issue affects Mozilla Firefox 143 and earlier, Firefox ESR 140.3 and earlier, Mozilla Thunderbird 143 and earlier, and Thunderbird ESR 140.3 and earlier. Hosted environments such as Red\u202fHat Enterprise\u202fLinux\u202f9 and 10 are also at risk if they run a vulnerable client version, because the escape occurs within the browser or mail client process.", "description_and_impact": "This flaw stems from undefined behavior and an invalid pointer in the Canvas2D component of Gecko\u2019s Graphics subsystem. If an attacker can trigger the problematic code path\u2014most likely by serving malicious content that draws onto a canvas\u2014the program can escape its sandbox, potentially executing arbitrary code with the privileges of the application. The vulnerability is a classic example of unsafe memory handling as identified by CWE\u2011693 and CWE\u2011824, and it directly threatens the confidentiality, integrity, and availability of the host system.", "risk_and_exploitability": "With a CVSS score of 7.3 the vulnerability is classified as high severity. The EPSS score of less than 1\u202f% indicates a low probability of being found or used in the wild at present. It is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via crafted web or email content that exercises Canvas2D; no local privilege escalation path is mentioned, so exploitation likely requires the victim to open a malicious page or message."}}}}, "created": "2025-09-17T10:04:57.458360+00:00", "updated": "2026-04-20T18:00:11.172144+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr", "mozilla$PRODUCT$thunderbird"], "weaknesses": ["CWE-693", "CWE-824"]}