How to fix CVE-2025-14326?

Within 24 hours: Identify all Firefox and Thunderbird installations below version 146 in your organization using endpoint detection tools; communicate mandatory upgrade deadline to end users. Within 7 days: Deploy Firefox 146+ and Thunderbird 146+ across all managed systems via patch management; verify successful upgrade on 100% of endpoints. Within 30 days: Audit third-party systems and kiosks for legacy versions; document any systems that cannot be upgraded and implement compensating controls per your CISO.

Is Memory Corruption affected by CVE-2025-14326?

Mozilla Firefox and Thunderbird versions prior to 146 contain a critical use-after-free vulnerability in the media processing component that enables remote code execution without authentication.

CVE-2025-14326

CRITICAL

2025-12-09 [email protected]

Memory Corruption Mozilla Use After Free Information Disclosure Thunderbird Redhat Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 16:10 vuln.today

DescriptionNVD

Use-after-free in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 146 and Thunderbird 146.

AnalysisAI

Remote code execution in Mozilla Firefox and Thunderbird (pre-146) allows unauthenticated network attackers to execute arbitrary code via a use-after-free flaw in the GMP (Gecko Media Plugin) audio/video component. Despite a critical CVSS 9.8 rating, EPSS probability remains low (0.08%, 23rd percentile), and no public exploit identified at time of analysis. Mozilla patched both products in version 146, with vendor advisories and technical details available via Bugzilla.

Technical ContextAI

The vulnerability resides in the Gecko Media Plugin (GMP) framework, which Firefox and Thunderbird use to handle sandboxed media codecs (e.g., OpenH264, Widevine) for audio/video playback. A use-after-free (CWE-416) occurs when memory is accessed after being freed, often due to improper object lifecycle management or race conditions in asynchronous media processing. In GMP's case, this likely involves callbacks or event handlers referencing deallocated media buffer objects or codec contexts during transcoding or playback. Because GMP operates within the content process, successful exploitation could escape sandbox constraints if combined with a renderer exploit. The CPE identifiers confirm Mozilla Firefox desktop (non-ESR) and Thunderbird (non-ESR) as affected products across all platforms prior to version 146.

RemediationAI

Vendor-released patch: Firefox 146 and Thunderbird 146. Users should upgrade immediately via the built-in update mechanism (Help > About Firefox/Thunderbird) or by downloading installers from mozilla.org. Enterprise administrators can deploy version 146 through package managers (apt/yum for Linux, MSI for Windows, DMG for macOS) or centralized update servers. The Mozilla Security Advisories (MFSA2025-92 for Firefox at https://www.mozilla.org/security/advisories/mfsa2025-92/, MFSA2025-95 for Thunderbird at https://www.mozilla.org/security/advisories/mfsa2025-95/) provide release notes and deployment guidance. No workarounds exist; GMP is a core media processing component that cannot be disabled without breaking video/audio playback. Organizations unable to patch immediately should restrict browser usage to trusted content sources and disable automatic media playback in about:config (media.autoplay.default = 5 for block all), though this does not fully mitigate risk if malicious media is manually loaded.

Vendor StatusVendor

CVE-2025-14326 vulnerability details – vuln.today

Back

CVE-2025-14326

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code