Skip to main content

Thunderbird CVE-2025-14326

CRITICAL
Use After Free (CWE-416)
2025-12-09 security@mozilla.org
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
CRITICAL
qualitative
Red Hat
6.1 MEDIUM
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 13, 2026 - 16:10 vuln.today

DescriptionCVE.org

Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Thunderbird 146.

AnalysisAI

Remote code execution in Mozilla Firefox and Thunderbird (pre-146) allows unauthenticated network attackers to execute arbitrary code via a use-after-free flaw in the GMP (Gecko Media Plugin) audio/video component. Despite a critical CVSS 9.8 rating, EPSS probability remains low (0.08%, 23rd percentile), and no public exploit identified at time of analysis. Mozilla patched both products in version 146, with vendor advisories and technical details available via Bugzilla.

Technical ContextAI

The vulnerability resides in the Gecko Media Plugin (GMP) framework, which Firefox and Thunderbird use to handle sandboxed media codecs (e.g., OpenH264, Widevine) for audio/video playback. A use-after-free (CWE-416) occurs when memory is accessed after being freed, often due to improper object lifecycle management or race conditions in asynchronous media processing. In GMP's case, this likely involves callbacks or event handlers referencing deallocated media buffer objects or codec contexts during transcoding or playback. Because GMP operates within the content process, successful exploitation could escape sandbox constraints if combined with a renderer exploit. The CPE identifiers confirm Mozilla Firefox desktop (non-ESR) and Thunderbird (non-ESR) as affected products across all platforms prior to version 146.

RemediationAI

Vendor-released patch: Firefox 146 and Thunderbird 146. Users should upgrade immediately via the built-in update mechanism (Help > About Firefox/Thunderbird) or by downloading installers from mozilla.org. Enterprise administrators can deploy version 146 through package managers (apt/yum for Linux, MSI for Windows, DMG for macOS) or centralized update servers. The Mozilla Security Advisories (MFSA2025-92 for Firefox at https://www.mozilla.org/security/advisories/mfsa2025-92/, MFSA2025-95 for Thunderbird at https://www.mozilla.org/security/advisories/mfsa2025-95/) provide release notes and deployment guidance. No workarounds exist; GMP is a core media processing component that cannot be disabled without breaking video/audio playback. Organizations unable to patch immediately should restrict browser usage to trusted content sources and disable automatic media playback in about:config (media.autoplay.default = 5 for block all), though this does not fully mitigate risk if malicious media is manually loaded.

CVE-2024-4367 HIGH POC
8.8 May 14

Arbitrary JavaScript execution in Mozilla's PDF.js library affects Firefox before 126, Firefox ESR before 115.11, and Th

CVE-2026-2796 CRITICAL POC
9.8 Feb 24

JIT miscompilation in Firefox WebAssembly before 148. The JIT compiler generates incorrect Wasm code, enabling type conf

CVE-2025-8043 CRITICAL POC
9.8 Jul 22

Firefox and Thunderbird URL truncation flaw enables spoofing attacks by displaying misleading origins in the address bar

CVE-2026-2761 CRITICAL
10.0 Feb 24

Second sandbox escape in Firefox WebRender component. CVSS 10.0 — independent path from CVE-2026-2760 to escape the cont

CVE-2026-2768 CRITICAL
10.0 Feb 24

Sandbox escape via IndexedDB in Firefox before 148 and Thunderbird. CVSS 10.0 — the Storage: IndexedDB component allows

CVE-2026-2778 CRITICAL
10.0 Feb 24

Sandbox escape via DOM Core & HTML component in Firefox before 148. CVSS 10.0 — fifth sandbox escape in this release.

CVE-2026-2776 CRITICAL
10.0 Feb 24

Sandbox escape via Telemetry component in Firefox external software before 148. CVSS 10.0 — fourth sandbox escape in thi

CVE-2026-2760 CRITICAL
10.0 Feb 24

Sandbox escape via boundary violation in Firefox WebRender graphics component. CVSS 10.0 — allows escaping the content s

CVE-2026-0881 CRITICAL
10.0 Jan 13

Firefox Messaging System component has a sandbox escape vulnerability. Maximum CVSS 10.0 with scope change. Affects Fire

CVE-2025-14324 CRITICAL
9.8 Dec 09

JIT compiler miscompilation in Mozilla's JavaScript engine allows remote code execution without authentication in Firefo

CVE-2025-14330 CRITICAL
9.8 Dec 09

Just-In-Time (JIT) compilation flaws in Mozilla's JavaScript engine allow unauthenticated remote attackers to achieve ar

CVE-2025-14321 CRITICAL
9.8 Dec 09

Remote code execution via use-after-free in Mozilla Firefox and Thunderbird WebRTC signaling allows unauthenticated netw

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed

Share

CVE-2025-14326 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy