CVE-2025-5262

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-5262

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

A

double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.

References
Link Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-45/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-46/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
History

19 Sep 2025, 17:18

Type Values Removed Values Added
CWE CWE-415
CPE cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
First Time Mozilla
Mozilla thunderbird
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
Summary
  • (es) Podría haberse producido una doble liberación en `vpx_codec_enc_init_multi` tras un error de asignación al inicializar el codificador para WebRTC. Esto podría haber causado corrupción de memoria y un bloqueo potencialmente explotable. Esta vulnerabilidad afecta a Thunderbird (versión anterior a la 139) y Thunderbird (versión anterior a la 128.11).
Summary (en) Rejected reason: This CVE was accidentally assigned by Mozilla but should be assigned by another CNA. When the correct CVE is available, Mozilla's advisories will be updated to reflect that identifier. (en) A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.
References
  • () https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 - Issue Tracking, Permissions Required
  • () https://www.mozilla.org/security/advisories/mfsa2025-45/ - Vendor Advisory
  • () https://www.mozilla.org/security/advisories/mfsa2025-46/ - Vendor Advisory

27 May 2025, 18:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.5 		v2 : unknown
v3 : unknown
CWE CWE-415
References
  • {'url': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1962421', 'source': '[email protected]'}
  • {'url': 'https://www.mozilla.org/security/advisories/mfsa2025-42/', 'source': '[email protected]'}
  • {'url': 'https://www.mozilla.org/security/advisories/mfsa2025-43/', 'source': '[email protected]'}
  • {'url': 'https://www.mozilla.org/security/advisories/mfsa2025-44/', 'source': '[email protected]'}
Summary (en) A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11. (en) Rejected reason: This CVE was accidentally assigned by Mozilla but should be assigned by another CNA. When the correct CVE is available, Mozilla's advisories will be updated to reflect that identifier.

27 May 2025, 16:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
CWE CWE-415

27 May 2025, 13:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-27 13:15

Updated : 2025-09-19 17:18

NVD link : CVE-2025-5262

Mitre link : CVE-2025-5262

CVE.ORG link : CVE-2025-5262

JSON object : View

Products Affected

mozilla

CWE
CWE-415

Double Free