This Red Hat security advisory addresses nine vulnerabilities in Mozilla Firefox and Thunderbird, including CVE-2025-8027, which involves the JavaScript engine writing only partial return values to the stack, and other issues such as large branch table truncation (CVE-2025-8028), memory safety bugs (CVE-2025-8034, CVE-2025-8035), incorrect URL stripping in CSP reports (CVE-2025-8031), potential user-assisted code execution via the 'Copy as cURL' command (CVE-2025-8030), incorrect JavaScript state machine for generators (CVE-2025-8033), XSLT documents bypassing CSP (CVE-2025-8032), and execution of javascript: URLs on object and embed tags (CVE-2025-8029). The advisory covers updates for Red Hat Enterprise Linux 9.2 across multiple architectures and product variants. Red Hat has released updated Firefox packages to remediate these vulnerabilities.

The vulnerabilities collectively impact the security of Firefox and Thunderbird by enabling potential memory safety issues, incorrect enforcement of security policies (CSP), partial execution of JavaScript return values, and possible user-assisted code execution. These flaws could lead to security breaches such as code execution or bypassing security restrictions if exploited. Red Hat rates the security impact as Important (high severity). There are no known exploits in the wild at the time of this advisory.

Red Hat has released updated Firefox packages for Red Hat Enterprise Linux 9.2 that address these vulnerabilities. Users and administrators should apply the provided security update promptly to remediate the issues. Detailed update instructions are available in the Red Hat advisory at https://access.redhat.com/articles/11258. No additional mitigations are specified beyond applying the official update.