Description
Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Use‑after‑free in the Audio/Video component of Mozilla Firefox and Thunderbird can corrupt memory, potentially allowing an attacker to execute arbitrary code within the user’s process. The flaw results from improper memory handling and is classified as CWE‑416 and CWE‑825. Successful exploitation would compromise the confidentiality, integrity and availability of the affected system.

Affected Systems

Mozilla Firefox versions prior to 145, the ESR releases 140.5 and 115.30, and Mozilla Thunderbird versions older than 145 or 140.5 are vulnerable. All affected editions run on the default audio‑video pipeline and are listed in the known CPE entries.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity. EPSS below 1% suggests a low probability of widespread exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would likely require the attacker to supply a crafted audio or video file and require the user to view or open it, possibly through a web page or an email attachment. In such an event, the attacker could hijack the victim’s process and execute arbitrary code with the user’s privileges.

Generated by OpenCVE AI on April 20, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Firefox (145 or later) or the corresponding ESR release (140.5 or 115.30) and upgrade Thunderbird to 145 or 140.5 or newer.
  • If upgrading is not immediately possible, disable the built‑in Audio/Video component or force the use of a software decoder to prevent the vulnerable code path.
  • Monitor Mozilla security advisories for additional updates or workarounds.

Generated by OpenCVE AI on April 20, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5. Use-after-free in the Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30. Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Firefox ESR < 115.30, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, and Firefox ESR < 115.30.
Title Use-after-free in the Audio/Video component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:38.013Z

Reserved: 2025-11-11T15:12:08.629Z

Link: CVE-2025-13014

cve-icon Vulnrichment

Updated: 2025-11-12T15:34:25.330Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:38.473

Modified: 2026-04-13T15:16:42.297

Link: CVE-2025-13014

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-11T15:47:12Z

Links: CVE-2025-13014 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses