Security update for MozillaFirefox SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:03009-1 Final 1 1 2025-08-28T09:19:04Z current 2025-08-28T09:19:04Z 2025-08-28T09:19:04Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for MozillaFirefox This update for MozillaFirefox fixes the following issues: - Firefox Extended Support Release 140.2.0 ESR MFSA 2025-67 (bsc#1248162) * CVE-2025-9179 (bmo#1979527): Sandbox escape due to invalid pointer in the Audio/Video: GMP component * CVE-2025-9180 (bmo#1979782): Same-origin policy bypass in the Graphics: Canvas2D component * CVE-2025-9181 (bmo#1977130): Uninitialized memory in the JavaScript Engine component * CVE-2025-9182 (bmo#1975837): Denial-of-service due to out-of-memory in the Graphics: WebRender component * CVE-2025-9183 (bmo#1976102): Spoofing issue in the Address Bar component * CVE-2025-9184 (bmo#1929482, bmo#1976376, bmo#1979163, bmo#1979955): Memory safety bugs fixed in Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9185 (bmo#1970154, bmo#1976782, bmo#1977166): Memory safety bugs fixed in Firefox ESR 115.27, Firefox ESR 128.14, Thunderbird ESR 128.14, Firefox ESR 140.2, Thunderbird ESR 140.2, Firefox 142 and Thunderbird 142 * CVE-2025-9187 (bmo#1825621, bmo#1970079, bmo#1976736, bmo#1979072): Memory safety bugs fixed in Firefox 142 and Thunderbird 142 - Other fixes: * Ensure the use of the correct file-picker on KDE (bsc#1226112) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-3009,SUSE-SLE-SERVER-12-SP5-LTSS-2025-3009,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-3009 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ Link for SUSE-SU-2025:03009-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041409.html E-Mail link for SUSE-SU-2025:03009-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1226112 SUSE Bug 1226112 https://bugzilla.suse.com/1247774 SUSE Bug 1247774 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 https://www.suse.com/security/cve/CVE-2025-9179/ SUSE CVE CVE-2025-9179 page https://www.suse.com/security/cve/CVE-2025-9180/ SUSE CVE CVE-2025-9180 page https://www.suse.com/security/cve/CVE-2025-9181/ SUSE CVE CVE-2025-9181 page https://www.suse.com/security/cve/CVE-2025-9182/ SUSE CVE CVE-2025-9182 page https://www.suse.com/security/cve/CVE-2025-9183/ SUSE CVE CVE-2025-9183 page https://www.suse.com/security/cve/CVE-2025-9184/ SUSE CVE CVE-2025-9184 page https://www.suse.com/security/cve/CVE-2025-9185/ SUSE CVE CVE-2025-9185 page https://www.suse.com/security/cve/CVE-2025-9187/ SUSE CVE CVE-2025-9187 page SUSE Linux Enterprise Server 12 SP5-LTSS SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 MozillaFirefox-140.2.0-112.276.1 MozillaFirefox-branding-upstream-140.2.0-112.276.1 MozillaFirefox-devel-140.2.0-112.276.1 MozillaFirefox-translations-common-140.2.0-112.276.1 MozillaFirefox-translations-other-140.2.0-112.276.1 MozillaFirefox-140.2.0-112.276.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS MozillaFirefox-devel-140.2.0-112.276.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS MozillaFirefox-translations-common-140.2.0-112.276.1 as a component of SUSE Linux Enterprise Server 12 SP5-LTSS MozillaFirefox-140.2.0-112.276.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 MozillaFirefox-devel-140.2.0-112.276.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 MozillaFirefox-translations-common-140.2.0-112.276.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9179 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9179.html CVE-2025-9179 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9180 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9180.html CVE-2025-9180 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9181 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9181.html CVE-2025-9181 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. CVE-2025-9182 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9182.html CVE-2025-9182 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2. CVE-2025-9183 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9183.html CVE-2025-9183 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. CVE-2025-9184 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9184.html CVE-2025-9184 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. CVE-2025-9185 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9185.html CVE-2025-9185 https://bugzilla.suse.com/1248162 SUSE Bug 1248162 Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142 and Thunderbird < 142. CVE-2025-9187 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server 12 SP5-LTSS:MozillaFirefox-translations-common-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-devel-140.2.0-112.276.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:MozillaFirefox-translations-common-140.2.0-112.276.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202503009-1/ https://www.suse.com/security/cve/CVE-2025-9187.html CVE-2025-9187 https://bugzilla.suse.com/1248162 SUSE Bug 1248162