Mozilla has released emergency security updates to address a critical vulnerability in Firefox that could allow attackers to execute arbitrary code on victims’ systems without any user interaction.
The security flaw, tracked as CVE-2025-5262, was announced on May 27, 2025, as part of the Mozilla Foundation Security Advisory.
Security researchers warn that this is a particularly dangerous vulnerability as it requires no user action beyond normal browsing to be exploited.
.png
)
0-Interaction libvpx Vulnerability
The critical vulnerability is a double-free memory corruption issue located in the libvpx library, which Firefox uses for VP8 and VP9 video encoding and decoding in WebRTC communications.
Specifically, the flaw occurs in the vpx_codec_enc_init_multi function when handling failed memory allocations during the encoder initialization process for WebRTC.
According to Mozilla’s security advisory, “A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash.”
The root cause was identified in the vp8e_init() function, where the encoder would take ownership of mr_cfg.mr_low_res_mode_info even if vp8_create_compressor() failed.
This created confusion at the call site, as other failures in vp8e_init() did not result in ownership transfer, leading both the caller and vpx_codec_destroy() to free the same memory block, triggering the double-free condition.
| Risk Factors | Details |
| Affected Products | – Firefox < 139.0- Firefox ESR < 115.24- Firefox ESR < 128.11 |
| Impact | Arbitrary code execution |
| Exploit Prerequisites | – Victim visits a malicious webpage leveraging WebRTC- No user interaction required beyond normal browsing |
| CVSS 3.1 Score | 9.8 (Critical) |
Affected Firefox Versions
This vulnerability affects multiple Firefox versions and editions, including:
- Firefox versions prior to 139.0
- Firefox ESR versions prior to 128.11
- Firefox ESR versions prior to 115.24
Security experts classify this as a critical vulnerability because it could potentially allow attackers to execute arbitrary code on victims’ systems.
The vulnerability is particularly concerning because it exists in WebRTC, a widely used protocol for real-time communications that enables video conferencing and other interactive features in web browsers.
Previous vulnerabilities in the libvpx library have been actively exploited in the wild by commercial surveillance vendors.
Mitigation Steps
Mozilla has addressed the vulnerability in Firefox 139, Firefox ESR 128.11, and Firefox ESR 115.24, released on May 27, 2025.
The fix, originally committed by James Zern from Google, involves ensuring that mr_* related variables are cleared on failure to prevent the double-free condition. Users are strongly advised to update their browsers immediately to the latest version.
To check if your browser is up-to-date, go to the Firefox menu, select “Help,” and click on “About Firefox.” The browser will automatically check for updates and prompt you to restart if an update is available.
Try in-depth sandbox malware analysis for your SOC team. Get ANY.RUN special offer only until May 31 -> Try Here
