CVE-2025-12380 - Vulnerability Details

- Use-after-free in WebGPU internals triggered from a compromised child process

Description

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability was fixed in Firefox 144.0.2.

Published: 2025-10-28

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A compromised child process can trigger a use‑after‑free in Firefox’s GPU or browser process through WebGPU IPC calls, allowing the attacker to potentially escape the child process sandbox. The flaw stems from improper deallocation of GPU resource handles (CWE‑416) and can lead to execution of arbitrary code or data disclosure within the host process.

Affected Systems

All Firefox installations starting with version 142 up to 144.0.1 on any platform are affected. The vulnerability was resolved in Firefox 144.0.2 and later releases.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, but the EPSS score of less than 1% suggests a very low likelihood of active exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitability requires a child process to be compromised and to send malicious WebGPU IPC messages; no public exploitation reports exist yet, so the primary threat is theoretical until an adversary finds a vector to compromise a child process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`144.0.2`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

No data.

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade all Firefox installations to version 144.0.2 or later to remove the use‑after‑free flaw.
Temporarily disable WebGPU by setting the dom.webgpu.enabled preference to false in the Firefox configuration until the software patch is applied.
Enable system‑level monitoring of child processes and IPC calls to detect anomalous WebGPU activity, and implement alerts for suspicious behavior.

Generated by OpenCVE AI on April 20, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1993113
https://www.mozilla.org/security/advisories/mfsa2025-86/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability affects Firefox < 144.0.2.	Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability was fixed in Firefox 144.0.2.

Fri, 19 Dec 2025 18:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::*

Thu, 30 Oct 2025 16:30:00 +0000

Type	Values Removed	Values Added
Title		Use-after-free in WebGPU internals triggered from a compromised child process

Wed, 29 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-416
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 29 Oct 2025 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Tue, 28 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Description		Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability affects Firefox < 144.0.2.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1993113 https://www.mozilla.org/security/advisories/mfsa2025-86/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-10-28T14:06:34.814Z

Updated: 2026-04-13T14:31:37.137Z

Reserved: 2025-10-28T07:05:52.674Z

Link: CVE-2025-12380

Vulnrichment

Updated: 2025-10-29T13:53:05.089Z

NVD

Status : Modified

Published: 2025-10-28T14:15:57.860

Modified: 2026-04-13T15:16:41.757

Link: CVE-2025-12380

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses

CWE-416

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object