Security update for MozillaFirefox

Announcement ID:	SUSE-SU-2025:21021-1
Release Date:	2025-11-19T16:45:48Z
Rating:	important
References:	bsc#1249391 bsc#1250452 bsc#1251263 bsc#1253188
Cross-References:	CVE-2025-10527 CVE-2025-10528 CVE-2025-10529 CVE-2025-10532 CVE-2025-10533 CVE-2025-10536 CVE-2025-10537 CVE-2025-11708 CVE-2025-11709 CVE-2025-11710 CVE-2025-11711 CVE-2025-11712 CVE-2025-11713 CVE-2025-11714 CVE-2025-11715 CVE-2025-13012 CVE-2025-13013 CVE-2025-13014 CVE-2025-13015 CVE-2025-13016 CVE-2025-13017 CVE-2025-13018 CVE-2025-13019 CVE-2025-13020
CVSS scores:	CVE-2025-10527 ( NVD ): 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVE-2025-10528 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-10529 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-10532 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE-2025-10533 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2025-10536 ( NVD ): 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2025-10537 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-11708 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-11709 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-11710 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2025-11711 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVE-2025-11712 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-11713 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-11714 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-11715 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13012 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13012 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13013 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13013 ( NVD ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13014 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13014 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13015 ( SUSE ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2025-13015 ( NVD ): 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N CVE-2025-13016 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13016 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2025-13017 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13017 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-13018 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13018 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-13019 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13019 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2025-13020 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE-2025-13020 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP Applications 16.0

An update that solves 24 vulnerabilities can now be installed.

Description:

This update for MozillaFirefox fixes the following issues:

Changes in MozillaFirefox:

Firefox Extended Support Release 140.5.0 ESR:

• Fixed: Various security fixes (MFSA 2025-88 bsc#1253188):

• CVE-2025-13012 Race condition in the Graphics component

• CVE-2025-13016 Incorrect boundary conditions in the JavaScript: WebAssembly component
• CVE-2025-13017 Same-origin policy bypass in the DOM: Notifications component
• CVE-2025-13018 Mitigation bypass in the DOM: Security component
• CVE-2025-13019 Same-origin policy bypass in the DOM: Workers component
• CVE-2025-13013 Mitigation bypass in the DOM: Core & HTML component
• CVE-2025-13020 Use-after-free in the WebRTC: Audio/Video component
• CVE-2025-13014 Use-after-free in the Audio/Video component

• CVE-2025-13015 Spoofing issue in Firefox

• Firefox Extended Support Release 140.4.0 ESR

• Fixed: Various security fixes. MFSA 2025-83 (bsc#1251263)
• CVE-2025-11708 Use-after-free in MediaTrackGraphImpl::GetInstance()
• CVE-2025-11709 Out of bounds read/write in a privileged process triggered by WebGL textures
• CVE-2025-11710 Cross-process information leaked due to malicious IPC messages
• CVE-2025-11711 Some non-writable Object properties could be modified
• CVE-2025-11712 An OBJECT tag type attribute overrode browser behavior on web resources without a content-type
• CVE-2025-11713 Potential user-assisted code execution in “Copy as cURL” command
• CVE-2025-11714 Memory safety bugs fixed in Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

• CVE-2025-11715 Memory safety bugs fixed in Firefox ESR 140.4, Thunderbird ESR 140.4, Firefox 144 and Thunderbird 144

• Firefox Extended Support Release 140.3.1 ESR (bsc#1250452)

• Fixed: Improved reliability when HTTP/3 connections fail: Firefox no longer forces HTTP/2 during fallback, allowing the server to choose the protocol and preventing stalls on some sites.

Firefox Extended Support Release 140.3.0 ESR

• Fixed: Various security fixes (MFSA 2025-75 bsc#1249391)

• CVE-2025-10527 Sandbox escape due to use-after-free in the Graphics: Canvas2D component

• CVE-2025-10528 Sandbox escape due to undefined behavior, invalid pointer in the Graphics: Canvas2D component
• CVE-2025-10529 Same-origin policy bypass in the Layout component
• CVE-2025-10532 Incorrect boundary conditions in the JavaScript: GC component
• CVE-2025-10533 Integer overflow in the SVG component
• CVE-2025-10536 Information disclosure in the Networking: Cache component
• CVE-2025-10537 Memory safety bugs fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143 and Thunderbird 143

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 16.0
  zypper in -t patch SUSE-SLES-16.0-39=1
• SUSE Linux Enterprise Server for SAP Applications 16.0
  zypper in -t patch SUSE-SLES-16.0-39=1

Package List:

• SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
  • MozillaFirefox-debuginfo-140.5.0-160000.1.1
  • MozillaFirefox-translations-common-140.5.0-160000.1.1
  • MozillaFirefox-translations-other-140.5.0-160000.1.1
  • MozillaFirefox-debugsource-140.5.0-160000.1.1
  • MozillaFirefox-140.5.0-160000.1.1
• SUSE Linux Enterprise Server 16.0 (noarch)
  • MozillaFirefox-devel-140.5.0-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64)
  • MozillaFirefox-debuginfo-140.5.0-160000.1.1
  • MozillaFirefox-translations-common-140.5.0-160000.1.1
  • MozillaFirefox-translations-other-140.5.0-160000.1.1
  • MozillaFirefox-debugsource-140.5.0-160000.1.1
  • MozillaFirefox-140.5.0-160000.1.1
• SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch)
  • MozillaFirefox-devel-140.5.0-160000.1.1

References:

• https://www.suse.com/security/cve/CVE-2025-10527.html
• https://www.suse.com/security/cve/CVE-2025-10528.html
• https://www.suse.com/security/cve/CVE-2025-10529.html
• https://www.suse.com/security/cve/CVE-2025-10532.html
• https://www.suse.com/security/cve/CVE-2025-10533.html
• https://www.suse.com/security/cve/CVE-2025-10536.html
• https://www.suse.com/security/cve/CVE-2025-10537.html
• https://www.suse.com/security/cve/CVE-2025-11708.html
• https://www.suse.com/security/cve/CVE-2025-11709.html
• https://www.suse.com/security/cve/CVE-2025-11710.html
• https://www.suse.com/security/cve/CVE-2025-11711.html
• https://www.suse.com/security/cve/CVE-2025-11712.html
• https://www.suse.com/security/cve/CVE-2025-11713.html
• https://www.suse.com/security/cve/CVE-2025-11714.html
• https://www.suse.com/security/cve/CVE-2025-11715.html
• https://www.suse.com/security/cve/CVE-2025-13012.html
• https://www.suse.com/security/cve/CVE-2025-13013.html
• https://www.suse.com/security/cve/CVE-2025-13014.html
• https://www.suse.com/security/cve/CVE-2025-13015.html
• https://www.suse.com/security/cve/CVE-2025-13016.html
• https://www.suse.com/security/cve/CVE-2025-13017.html
• https://www.suse.com/security/cve/CVE-2025-13018.html
• https://www.suse.com/security/cve/CVE-2025-13019.html
• https://www.suse.com/security/cve/CVE-2025-13020.html
• https://bugzilla.suse.com/show_bug.cgi?id=1249391
• https://bugzilla.suse.com/show_bug.cgi?id=1250452
• https://bugzilla.suse.com/show_bug.cgi?id=1251263
• https://bugzilla.suse.com/show_bug.cgi?id=1253188