A double-free issue could have occurred in `sec_pkcs7_decoder_start_decrypt()` when handling an error path. Under specific conditions, the same symmetric key could have been freed twice, potentially leading to memory corruption. This vulnerability affects Firefox < 133, Thunderbird < 133, Firefox ESR < 128.7, and Thunderbird < 128.7.
In the `sec_pkcs7_decoder_start_decrypt()` function handling the error path in symmetric encryption, the same symmetric key may be freed from memory twice (double-free). Such double freeing of the same memory area leads to heap corruption. An attacker could potentially exploit this state to take control of program execution by crafting a specially constructed message or content that triggers the incorrect code path.
Successful exploitation of this vulnerability may lead to arbitrary code execution (RCE) in the context of the browser or mail client process, as well as disclosure of sensitive data or destabilization of application functionality.
Firefox should be updated immediately to version 133 or newer (for ESR branch to version 128.7 or newer) and Thunderbird to version 133 or newer (for ESR branch to version 128.7 or newer). Details available in Mozilla security advisories: mfsa2024-63, mfsa2024-67, mfsa2025-09, mfsa2025-10.
Mozilla Firefox versions below 133, Mozilla Firefox ESR versions below 128.7, Mozilla Thunderbird versions below 133, and Mozilla Thunderbird ESR versions below 128.7.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 128.7.0< 133.0Mozilla Thunderbird
APPMozilla< 128.7.0129.0 – 133.0 (bez)
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...