CVE-2025-11708

CRITICAL
2025-10-14 [email protected]
Memory Corruption Mozilla Use After Free Information Disclosure Thunderbird Redhat Suse
9.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 15:42 vuln.today

DescriptionNVD

Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

AnalysisAI

Remote code execution in Mozilla Firefox (all versions prior to 144, ESR prior to 140.4) and Thunderbird (all versions prior to 144, ESR prior to 140.4) allows unauthenticated remote attackers to execute arbitrary code, disclose sensitive information, or cause denial of service through a use-after-free vulnerability in MediaTrackGraphImpl::GetInstance(). With a critical CVSS score of 9.8 and no authentication required, this memory corruption flaw represents a severe security risk. No public exploit identified at time of analysis, though EPSS data not available to assess exploitation probability.

Technical ContextAI

This vulnerability stems from a use-after-free condition (CWE-416) in the MediaTrackGraphImpl::GetInstance() method, which is part of Mozilla's Web Audio API implementation responsible for managing media track processing graphs. Use-after-free vulnerabilities occur when code attempts to access memory after it has been freed, leading to undefined behavior that attackers can manipulate. In browser contexts, the MediaTrackGraph handles audio/video stream routing and processing, making it a critical component for media functionality. The affected CPE strings identify Firefox (both standard and ESR channels) and Thunderbird (both versions) as vulnerable products. Memory corruption vulnerabilities in media processing components are particularly dangerous because they handle complex, often untrusted data from web content, providing attack surface through crafted media streams or web pages that trigger specific timing conditions in the media graph lifecycle management.

RemediationAI

Upgrade immediately to Firefox 144 or Firefox ESR 140.4 for browser deployments, and Thunderbird 144 or Thunderbird ESR 140.4 for email client installations. Mozilla has released vendor patches addressing this vulnerability in coordinated security advisories MFSA2025-81, MFSA2025-83, MFSA2025-84, and MFSA2025-85 available at https://www.mozilla.org/security/advisories/. Debian users should apply updates through their distribution's package management system as detailed in debian-lts-announce advisories. No workarounds are available for this memory corruption vulnerability; patching is the only effective remediation. Organizations using auto-update mechanisms should verify successful deployment of version 144 or ESR 140.4. For enterprise deployments with controlled update schedules, prioritize this patch due to the network attack vector and lack of authentication requirements.

Vendor StatusVendor

Share

CVE-2025-11708 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy