{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3028", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-03-31T09:35:17.664Z", "datePublished": "2025-04-01T12:28:58.303Z", "dateUpdated": "2026-04-13T14:25:58.540Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "115.22", "lessThanOrEqual": "115.*", "versionType": "rpm"}, {"status": "unaffected", "version": "128.9", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "137", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "128.9", "lessThanOrEqual": "128.*", "versionType": "rpm"}, {"status": "unaffected", "version": "137", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9."}]}], "title": "Use-after-free triggered by XSLTProcessor", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1941002"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-21/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-22/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-24/"}], "credits": [{"lang": "en", "value": "Ivan Fratric of Google Project Zero"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:25:58.540Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-04-01T20:40:58.347633Z", "id": "CVE-2025-3028", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T20:41:04.282Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:46:48.122Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:46:48.122Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-3028", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-01T20:40:58.347633Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-01T20:40:47.348Z"}}], "cna": {"title": "Use-after-free triggered by XSLTProcessor", "credits": [{"lang": "en", "value": "Ivan Fratric of Google Project Zero"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "115.22", "versionType": "rpm", "lessThanOrEqual": "115.*"}, {"status": "unaffected", "version": "128.9", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "137", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "128.9", "versionType": "rpm", "lessThanOrEqual": "128.*"}, {"status": "unaffected", "version": "137", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1941002"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-21/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-22/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-24/"}], "descriptions": [{"lang": "en", "value": "JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.", "supportingMedia": [{"type": "text/html", "value": "JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:25:58.540Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3028", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:25:58.540Z", "dateReserved": "2025-03-31T09:35:17.664Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-04-01T12:28:58.303Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "DC27CD34-8D27-4797-95BD-A0D419FCD7C1", "versionEndExcluding": "115.22.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "A6CBADD8-E865-41B5-BDDD-1572F97D5176", "versionEndExcluding": "137.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "108709F8-F3C5-4985-B1FA-A569734D4EDF", "versionEndExcluding": "128.9.0", "versionStartIncluding": "116.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "547865A8-58DA-4716-A4E0-43597E1C8091", "versionEndExcluding": "128.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "D68021EC-F934-4037-8888-FAFBB3364166", "versionEndIncluding": "137.0", "versionStartIncluding": "129.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability was fixed in Firefox 137, Firefox ESR 115.22, Firefox ESR 128.9, Thunderbird 137, and Thunderbird 128.9."}, {"lang": "es", "value": "La ejecuci\u00f3n de c\u00f3digo JavaScript al transformar un documento con XSLTProcessor podr\u00eda provocar un use-after-free. Esta vulnerabilidad afecta a Firefox < 137, Firefox ESR < 115.22, Firefox ESR < 128.9, Thunderbird < 137 y Thunderbird < 128.9."}], "id": "CVE-2025-3028", "lastModified": "2026-04-13T15:16:56.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-04-01T13:15:41.190", "references": [{"source": "security@mozilla.org", "tags": ["Exploit", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1941002"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-21/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-22/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-23/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-24/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00005.html"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:7491", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "firefox-0:128.9.0-3.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:7493", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "thunderbird-0:128.9.0-2.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-13T00:00:00Z"}, {"advisory": "RHSA-2025:3628", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "firefox-0:128.9.0-2.el7_9", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3582", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "firefox-0:128.9.0-2.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4170", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "thunderbird-0:128.9.0-2.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-24T00:00:00Z"}, {"advisory": "RHSA-2025:3623", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "firefox-0:128.9.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4032", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "thunderbird-0:128.9.0-2.el8_2", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3581", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "firefox-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4031", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "thunderbird-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3581", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "firefox-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4031", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "thunderbird-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3581", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "firefox-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4031", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "thunderbird-0:128.9.0-2.el8_4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3621", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "firefox-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4030", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "thunderbird-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3621", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "firefox-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4030", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "thunderbird-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3621", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "firefox-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4030", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "thunderbird-0:128.9.0-2.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3620", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "firefox-0:128.9.0-2.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:4029", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "thunderbird-0:128.9.0-2.el8_8", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3556", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "firefox-0:128.9.0-2.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4169", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "thunderbird-0:128.9.0-2.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-24T00:00:00Z"}, {"advisory": "RHSA-2025:3587", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "firefox-0:128.9.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4028", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "thunderbird-0:128.9.0-2.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3589", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "firefox-0:128.9.0-2.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4027", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "thunderbird-0:128.9.0-2.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:3590", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "firefox-0:128.9.0-2.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-03T00:00:00Z"}, {"advisory": "RHSA-2025:4026", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "thunderbird-0:128.9.0-2.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2025-04-23T00:00:00Z"}], "bugzilla": {"description": "firefox: thunderbird: Use-after-free triggered by XSLTProcessor", "id": "2356562", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2356562"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "status": "verified"}, "cwe": "CWE-416", "details": ["JavaScript code running while transforming a document with the XSLTProcessor could lead to a use-after-free. This vulnerability affects Firefox < 137, Firefox ESR < 115.22, Firefox ESR < 128.9, Thunderbird < 137, and Thunderbird < 128.9."], "name": "CVE-2025-3028", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird-flatpak-container", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2025-04-01T12:28:58Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-3028\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-3028\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1941002\nhttps://www.mozilla.org/security/advisories/mfsa2025-20/\nhttps://www.mozilla.org/security/advisories/mfsa2025-21/\nhttps://www.mozilla.org/security/advisories/mfsa2025-22/\nhttps://www.mozilla.org/security/advisories/mfsa2025-23/\nhttps://www.mozilla.org/security/advisories/mfsa2025-24/"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"analysis": {"en": {"generated_at": "2026-04-20T18:18:08.188272+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox to version 137 or newer, or to the latest Firefox ESR 115.22 or 128.9 release.", "Upgrade Mozilla Thunderbird to version 137 or newer, or to the latest Thunderbird ESR 128.9 release.", "On systems using packaged browsers from RedHat, update the packages to the latest versions that incorporate the patch or rebuild the packages to include the latest Firefox/Thunderbird binaries."], "summary": {"action": "Immediate Patch", "impact": "Use\u2011after\u2011free leading to memory corruption and potential arbitrary code execution"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Thunderbird versions older than 137, or older ESR releases before Firefox ESR 115.22 or 128.9 and Thunderbird ESR 128.9. The vulnerability is also present in RedHat Enterprise Linux distributions that ship these browsers in the packages listed.", "description_and_impact": "Use\u2011after\u2011free vulnerability triggered by XSLTProcessor when JavaScript code runs during transformation can cause memory corruption. The improper deallocation may allow an attacker to manipulate the page context or execute arbitrary code, potentially compromising confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation in the short term, and the vulnerability is not yet listed in the CISA KEV catalog. The attack vector is inferred to be through malicious web content that uses XSLTProcessor, as the defect arises while processing JavaScript within a transformation. An attacker would need to supply or influence the document or script being processed, likely via XSS or a crafted link, to trigger the use\u2011after\u2011free. Once triggered, the resulting memory corruption could lead to arbitrary code execution or denial of service."}}}}, "created": "2026-04-20T18:30:13.976402+00:00", "updated": "2026-04-20T18:30:13.976419+00:00", "vendors": []}