CVE-2025-9179
thunderbird - security update
9.8
CRITICAL
CVSS 3.1
EPSS 0.19%
Description
An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability was fixed in Firefox 142, Firefox ESR 115.27, Firefox ESR 128.14, Firefox ESR 140.2, Thunderbird 142, Thunderbird 128.14, and Thunderbird 140.2.
How to fix CVE-2025-9179
To remediate CVE-2025-9179, upgrade the affected package to a fixed version below.
- —upgrade to 128.14.0esr-1~deb11u1 or later
- —upgrade to 128.14.0esr-1~deb11u1 or later
- —upgrade to 128.14.0esr-1~deb12u1 or later
- —upgrade to 1:128.14.0esr-1~deb11u1 or later
- —upgrade to 1:128.14.0esr-1~deb11u1 or later
- —upgrade to 1:128.14.0esr-1~deb12u1 or later
Is CVE-2025-9179 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 128.14.0esr-1~deb11u1
- from 0, < 128.14.0esr-1~deb11u1
- from 0, < 128.14.0esr-1~deb12u1
- from 0, < 1:128.14.0esr-1~deb11u1
- from 0, < 1:128.14.0esr-1~deb11u1
- from 0, < 1:128.14.0esr-1~deb12u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |