This Red Hat security advisory (RHSA-2025:7506) addresses five vulnerabilities in Firefox and Thunderbird: CVE-2025-2817 (privilege escalation in Firefox Updater), CVE-2025-4087 (unsafe attribute access during XPath parsing), CVE-2025-4083 (process isolation bypass using "javascript:" URI links in cross-origin frames), and two memory safety bugs (CVE-2025-4091 and CVE-2025-4093) fixed in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10. The vulnerabilities involve privilege escalation, unsafe parsing, process isolation bypass, and memory safety issues. The advisory provides updated packages for Red Hat Enterprise Linux 10 and its extended update support versions across multiple architectures including x86_64, s390x, ppc64le, and aarch64. The vendor rates the update as Important and recommends applying the update to remediate these issues.

The vulnerabilities include privilege escalation, unsafe attribute access, process isolation bypass, and memory safety bugs. These could allow an attacker to escalate privileges, bypass security boundaries between processes, and potentially cause memory corruption leading to crashes or arbitrary code execution. The impact affects Firefox and Thunderbird users on Red Hat Enterprise Linux 10 and related variants. The advisory rates the overall security impact as Important, indicating a high severity level.

Red Hat has released updated Firefox and Thunderbird packages that address these vulnerabilities. Users should apply the security update for Firefox version 128.10.0-1.el10_0 and corresponding Thunderbird updates as provided by Red Hat for Red Hat Enterprise Linux 10 and its extended update support versions. Detailed update instructions are available at https://access.redhat.com/articles/11258. Applying these official patches fully mitigates the described vulnerabilities.