Description
Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.
Published: 2025-11-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free in the WebRTC Audio/Video component, potentially allowing arbitrary code execution or an application crash
Action: Patch immediately
AI Analysis

Impact

The vulnerability is a use‑after‑free error in the WebRTC audio and video processing component that can corrupt memory after a reference to freed memory is accessed. This flaw falls under CWE‑416 and CWE‑825 and could enable an attacker to execute arbitrary code, compromise the host or cause a denial of service by crashing the application. The official description does not cite a specific exploitation path, but the high CVSS score reflects the potential for severe impact.

Affected Systems

This vulnerability affects Mozilla Firefox versions prior to 145, including Firefox ES‑R versions before 140.5, and also Mozilla Thunderbird versions before 145 and Thunderbird ES‑R before 140.5. Users running any of the affected releases of these browsers are exposed.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity, while an EPSS score of less than 1 % indicates that active exploitation attempts are currently uncommon. Because the bug resides in client‑side media handling, an attacker would typically need a victim to load a crafted WebRTC stream, such as by visiting a malicious website or opening a malicious attachment. Based on the description, it is inferred that the likely attack vector is to lure a user into processing a malicious WebRTC stream. This scenario is not listed in the CISA KEV catalog, but the combination of high severity and the possibility of remote code execution warrants preemptive mitigation.

Generated by OpenCVE AI on April 20, 2026 at 21:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mozilla Firefox 145 or newer, or Firefox ES‑R 140.5 or newer, and to Mozilla Thunderbird 145 or newer, or Thunderbird ES‑R 140.5 or newer, to apply the vendor’s patch.
  • If an immediate upgrade is not possible, disable WebRTC in the browser settings or install a trusted privacy extension that rejects WebRTC streams to stop the flaw from being exercised.
  • Enable automatic updates or routinely check Mozilla’s security advisories for future patches to keep the system protected.

Generated by OpenCVE AI on April 20, 2026 at 21:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4370-1 firefox-esr security update
Debian DLA Debian DLA DLA-4372-1 thunderbird security update
Debian DSA Debian DSA DSA-6054-1 firefox-esr security update
Debian DSA Debian DSA DSA-6059-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5. Use-after-free in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Thunderbird 145, and Thunderbird 140.5.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5. Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*

Wed, 12 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC: Audio/Video component. This vulnerability affects Firefox < 145 and Firefox ESR < 140.5.
Title Use-after-free in the WebRTC: Audio/Video component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:35.933Z

Reserved: 2025-11-11T15:12:22.873Z

Link: CVE-2025-13020

cve-icon Vulnrichment

Updated: 2025-11-12T14:58:54.608Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:39.097

Modified: 2026-04-13T15:16:43.353

Link: CVE-2025-13020

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-11-11T15:47:17Z

Links: CVE-2025-13020 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses