This Red Hat security advisory addresses several vulnerabilities in Mozilla Firefox and Thunderbird, including CVE-2025-9179 (sandbox escape due to invalid pointer in the Audio/Video GMP component), CVE-2025-9180 (same-origin policy bypass in Graphics Canvas2D), CVE-2025-9181 (uninitialized memory in the JavaScript engine), CVE-2025-9182 (denial-of-service via out-of-memory in Graphics WebRender), and CVE-2025-9185 (memory safety bugs). These issues affect various components related to graphics rendering, audio/video processing, and JavaScript execution. The vulnerabilities are fixed in Firefox ESR 128.14 and related ESR and standard versions, as packaged for Red Hat Enterprise Linux 8 and its Extended Life Cycle releases across multiple architectures.

The vulnerabilities could allow denial-of-service conditions, sandbox escapes, bypass of same-origin policy, exposure of uninitialized memory, and other memory safety issues in Firefox and Thunderbird. These could potentially be leveraged to compromise the security boundaries of the browser or email client, leading to information disclosure or execution of unauthorized code. The advisory rates the impact as Important (high severity). There are no known exploits in the wild at the time of publication.

Red Hat has released updated Firefox packages for Red Hat Enterprise Linux 8 and Extended Life Cycle 8.10 that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2025:14442 and the referenced article https://access.redhat.com/articles/11258. This update includes fixes for all listed CVEs. No additional mitigation steps are indicated by the vendor.