How to fix CVE-2025-14860?

Within 24 hours: Identify all systems running Firefox versions prior to 146.0.1 using endpoint detection tools and issue urgent patch notification to users. Within 7 days: Deploy Firefox 146.0.1 or later through automated update mechanisms or MDM/patch management systems to achieve 95%+ coverage; verify update deployment through telemetry. Within 30 days: Confirm 100% remediation of affected Firefox installations and validate no systems remain on vulnerable versions through compliance scanning.

Is Memory Corruption affected by CVE-2025-14860?

Mozilla Firefox versions prior to 146.0.1 contain a critical remote code execution vulnerability in Disability Access APIs that allows unauthenticated attackers to execute arbitrary code on affected systems without user interaction.

CVE-2025-14860

CRITICAL

2025-12-18 [email protected]

Memory Corruption Mozilla Use After Free Information Disclosure Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Apr 13, 2026 - 16:12 vuln.today

DescriptionNVD

Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.

AnalysisAI

Remote code execution in Mozilla Firefox via use-after-free in Disability Access APIs allows unauthenticated network attackers to compromise browser integrity with high impact. The vulnerability (CWE-416) affects Firefox versions prior to 146.0.1 and requires no user interaction or special privileges. With CVSS 9.8 (Critical) but low EPSS (0.07%, 21st percentile), real-world exploitation probability remains limited despite theoretical severity. No public exploit identified at time of analysis, and vendor-released patch 146.0.1 available.

Technical ContextAI

This vulnerability stems from a use-after-free condition (CWE-416) in Firefox's Disability Access APIs, which provide programmatic interfaces for assistive technologies to interact with browser content. Use-after-free vulnerabilities occur when memory is accessed after being freed, creating potential for arbitrary code execution if an attacker can control the freed memory region. The affected component (cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*) exposes this flaw through network-accessible attack surfaces. Disability Access APIs typically involve DOM manipulation and cross-process communication, making memory lifecycle management particularly critical. The lack of scope change (S:U) indicates the vulnerability is confined to the browser's security context, though full confidentiality, integrity, and availability impact are achievable within that boundary.

RemediationAI

Immediately upgrade Mozilla Firefox to version 146.0.1 or later, which contains the complete fix for this use-after-free vulnerability. Firefox's automatic update mechanism should deploy this patch without user intervention for most installations. Enterprise administrators using managed deployments should prioritize distribution of version 146.0.1 through their software management systems. Verify successful update by navigating to About Firefox in the application menu and confirming version number. No effective workarounds exist for this vulnerability short of upgrading, as the Disability Access APIs are integral browser components that cannot be safely disabled without breaking accessibility functionality. Complete remediation guidance and technical details are available in Mozilla Security Advisory MFSA2025-98 at https://www.mozilla.org/security/advisories/mfsa2025-98/ and the upstream bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=2000597.

Vendor StatusVendor

CVE-2025-14860 vulnerability details – vuln.today

Back

CVE-2025-14860

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Vendor StatusVendor

Share

External POC / Exploit Code