When String.toUpperCase() caused a string to get longer it was possible for uninitialized memory to be incorporated into the result string. This vulnerability was fixed in Firefox 136 and Thunderbird 136.
When the String.toUpperCase() operation causes a string to expand (which occurs for some Unicode characters whose uppercase equivalents take up more space), the JavaScript engine does not properly initialize the entire required memory buffer. As a result, a fragment of uninitialized memory may be included in the resulting string (CWE-908: Use of Uninitialized Resource). An attacker could potentially exploit this mechanism through a crafted website or email message containing appropriate JavaScript code.
An attacker can gain access to sensitive data stored in uninitialized memory of the browser or mail client process, and in the worst case scenario — lead to a breach of application integrity or availability.
Mozilla Firefox should be updated to version 136 or later and Mozilla Thunderbird to version 136 or later. Patches are available directly from the vendor according to MFSA2025-14 and MFSA2025-17 references.
Mozilla Firefox versions prior to 136 and Mozilla Thunderbird versions prior to 136.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 136.0Mozilla Thunderbird
APPMozilla< 136.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...