CVE-2025-2817

Summary

Thunderbird's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation. This vulnerability was fixed in Firefox 138, Firefox ESR 128.10, Firefox ESR 115.23, Thunderbird 138, and Thunderbird 128.10.

Affected Software

VendorProductVersion RangeStatus
MozillaFirefox115.23 <= 115.*unaffected
MozillaFirefox128.10 <= 128.*unaffected
MozillaFirefox138 <= *unaffected
MozillaThunderbird128.10 <= 128.*unaffected
MozillaThunderbird138 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References