The disclosed flaw is an incorrect boundary check in the Graphics: WebGPU subsystem, which can lead to an out‑of‑bounds write and arbitrary code execution. The weakness is listed as CWE‑703 and CWE‑787, indicating that the code does not properly constrain indices used when accessing memory. If exploited, an attacker could potentially execute malicious code with the privileges of the browser or mail client, compromising confidentiality, integrity, and availability of the affected system.

Mozilla Firefox and Thunderbird installations that are using versions older than 145 are vulnerable. The issue was addressed in Firefox 145 and Thunderbird 145. The vulnerability is specific to those products' WebGPU support and does not affect other Mozilla applications or web browsers.

The CVSS score of 9.8 reflects a high‑severity risk, while the EPSS score of less than 1 % suggests that the probability of exploitation in the wild is currently low. The CVE is not listed in the CISA KEV catalog, indicating no known publicly disclosed exploits at this time. The likely attack vector is a malicious or compromised webpage that leverages WebGPU; an attacker would need only to persuade the victim to visit such a page to trigger the fault and achieve code execution.