Fluid Attacks Database

Description

A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue: Mozilla Firefox's update mechanism allowed a medium-integrity user process to interfere with the SYSTEM-level updater by manipulating the file-locking behavior. By injecting code into the user-privileged process, an attacker could bypass intended access controls, allowing SYSTEM-level file operations on paths controlled by a non-privileged user and enabling privilege escalation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel8.8	firefox	<0:128.10.0-1.el8_8	0:128.10.0-1.el8_8
rpm rhel10	firefox-flatpak-container	-	-
rpm rhel9.2	thunderbird	<0:128.10.0-1.el9_2	0:128.10.0-1.el9_2
rpm rhel6	thunderbird	-	-
rpm rhel10	thunderbird-flatpak-container	-	-
rpm rhel8	firefox	<0:128.10.0-1.el8_10	0:128.10.0-1.el8_10
rpm rhel9.4	thunderbird	<0:128.10.0-1.el9_4	0:128.10.0-1.el9_4
rpm rhel8.8	thunderbird	<0:128.10.0-1.el8_8	0:128.10.0-1.el8_8
rpm rhel10	thunderbird	<0:128.10.0-1.el10_0	0:128.10.0-1.el10_0
rpm rhel7	thunderbird	-	-

1-10 of 19

Aliases

1. CVE-2025-28172. NVD-2025-28173. OSV-2025-2817

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.