Skip to main content

Thunderbird CVE-2025-14321

CRITICAL
Use After Free (CWE-416)
2025-12-09 security@mozilla.org
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 16:09 vuln.today

DescriptionCVE.org

Use-after-free in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 146, Firefox ESR 140.6, Thunderbird 146, and Thunderbird 140.6.

AnalysisAI

Remote code execution via use-after-free in Mozilla Firefox and Thunderbird WebRTC signaling allows unauthenticated network attackers to execute arbitrary code without user interaction. Affects Firefox <146, Firefox ESR <140.6, Thunderbird <146, and Thunderbird ESR <140.6. Vendor-released patches available (Firefox 146, Firefox ESR 140.6, Thunderbird 146, Thunderbird 140.6). CVSS 9.8 (critical) reflects maximum technical severity, though EPSS 0.09% (25th percentile) and absence from CISA KEV suggest limited real-world exploitation at time of analysis. No public exploit identified at time of analysis.

Technical ContextAI

CWE-416 use-after-free vulnerabilities occur when code continues to reference memory after it has been deallocated, allowing attackers to manipulate freed memory regions for arbitrary code execution. The vulnerability resides in WebRTC (Web Real-Time Communication) signaling components, which handle peer-to-peer communication session setup and negotiation in modern browsers. WebRTC signaling processes network-provided data to establish connections, making it an attack surface accessible remotely. The affected products per CPE data include both standard and Extended Support Release (ESR) branches of Firefox (desktop browser) and Thunderbird (email/calendar client), indicating the flaw exists in shared Mozilla networking code used across their application suite.

RemediationAI

Upgrade immediately to Firefox 146 or Firefox ESR 140.6 for browser installations, and Thunderbird 146 or Thunderbird ESR 140.6 for email client installations. Mozilla has released patches across all affected product lines simultaneously. Enterprise administrators should prioritize deployment through existing update mechanisms (GPO, configuration management tools, or Mozilla's enterprise policy templates). For Firefox ESR users on long-term support channels, upgrade to version 140.6 which backports the security fix while maintaining ESR stability commitments. No workarounds are available for this memory corruption vulnerability; patching is the only effective mitigation. Download patched versions from https://www.mozilla.org or consult the security advisories at https://www.mozilla.org/security/advisories/mfsa2025-92/, mfsa2025-94/, mfsa2025-95/, and mfsa2025-96/ for version-specific guidance. Verify successful patching by navigating to About Firefox or About Thunderbird and confirming version numbers meet or exceed 146 (standard) or 140.6 (ESR).

CVE-2024-4367 HIGH POC
8.8 May 14

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th

CVE-2026-2796 CRITICAL POC
9.8 Feb 24

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type conf

CVE-2025-8043 CRITICAL POC
9.8 Jul 22

Firefox and Thunderbird URL truncation flaw enables spoofing attacks by displaying misleading origins in the address bar

CVE-2026-2761 CRITICAL
10.0 Feb 24

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the cont

CVE-2026-2768 CRITICAL
10.0 Feb 24

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows

CVE-2026-2778 CRITICAL
10.0 Feb 24

Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.

CVE-2026-2776 CRITICAL
10.0 Feb 24

Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in thi

CVE-2026-2760 CRITICAL
10.0 Feb 24

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content s

CVE-2026-0881 CRITICAL
10.0 Jan 13

Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Fire

CVE-2025-14324 CRITICAL
9.8 Dec 09

JIT compiler miscompilation in Mozilla's JavaScript engine allows remote code execution without authentication in Firefo

CVE-2025-14330 CRITICAL
9.8 Dec 09

Just-In-Time (JIT) compilation flaws in Mozilla's JavaScript engine allow unauthenticated remote attackers to achieve ar

CVE-2025-14326 CRITICAL
9.8 Dec 09

Remote code execution in Mozilla Firefox and Thunderbird (pre-146) allows unauthenticated network attackers to execute a

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
Container suse/sl-micro/6.0/toolbox:latest Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.2 Image SL-Micro-Azure Image SL-Micro-BYOS-Azure Image SL-Micro-BYOS-EC2 Image SL-Micro-BYOS-GCE Image SL-Micro-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-GCE Image SUSE-Multi-Linux-Manager-Proxy-BYOS-Azure Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-Azure-llc Image SUSE-Multi-Linux-Manager-Server-Azure-ltd Image SUSE-Multi-Linux-Manager-Server-BYOS-Azure Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-GCE Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Image SLES12-SP5-SAP-Azure-LI-BYOS-Production Image SLES12-SP5-SAP-Azure-VLI-BYOS-Production Affected
Image SLES15-SP4-SAP-Azure-LI-BYOS Image SLES15-SP4-SAP-Azure-LI-BYOS-Production Image SLES15-SP4-SAP-Azure-VLI-BYOS Image SLES15-SP4-SAP-Azure-VLI-BYOS-Production Image SLES15-SP5-SAP-Azure-LI-BYOS Image SLES15-SP5-SAP-Azure-LI-BYOS-Production Image SLES15-SP5-SAP-Azure-VLI-BYOS Image SLES15-SP5-SAP-Azure-VLI-BYOS-Production Image SLES15-SP6-SAP-Azure-LI-BYOS Image SLES15-SP6-SAP-Azure-LI-BYOS-Production Image SLES15-SP6-SAP-Azure-VLI-BYOS Image SLES15-SP6-SAP-Azure-VLI-BYOS-Production Image SLES15-SP7-SAP-Azure-LI-BYOS-Production Image SLES15-SP7-SAP-Azure-VLI-BYOS-Production Affected
SUSE Enterprise Storage 7.1 Fixed

Share

CVE-2025-14321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy