Memory safety bugs present in Firefox 125. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 126.
The vulnerabilities concern improper memory management in the Firefox 125 browser engine, classified as CWE-1260 (memory protection mechanism mismatch). Some of the identified vulnerabilities showed evidence of actual memory corruption during application operation. An exploit could be carried out remotely, without the need for authentication and without user interaction, which reflects the CVSS vector AV:N/AC:L/PR:N/UI:N.
An attacker can potentially execute arbitrary code (RCE) on the victim's computer, which may lead to complete system takeover, data confidentiality breach, and disruption of application functionality.
Mozilla Firefox should be updated to version 126 or newer. Updates are available through the browser's automatic update mechanism or on the manufacturer's website in accordance with the MFSA2024-21 security advisory.
Mozilla Firefox in versions earlier than 126 (vulnerable version: Firefox 125).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 126.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...