Description
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Published: 2025-11-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the Graphics: WebGPU component of Mozilla products, where improper boundary checks allow an out‑of‑bounds write to memory. This defect can corrupt internal data structures, potentially giving an attacker the ability to execute arbitrary code or cause a crash in the process.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Versions earlier than 145 contain the flaw; the issue was fixed in Firefox 145 and Thunderbird 145. Users running older builds remain vulnerable.

Risk and Exploitability

The CVSS score of 9.8 signals a critical flaw. The EPSS score of less than 1 % indicates the exploitation probability is currently very low, and the vulnerability is not listed in CISA KEV. Attackers could target the flaw by serving malicious content that triggers WebGPU execution, leading to an out‑of‑bounds write and potentially remote code execution.

Generated by OpenCVE AI on April 20, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 145 or later.
  • Update Thunderbird to version 145 or later.
  • As a temporary workaround, disable the WebGPU feature via the browser configuration if an upgrade cannot be applied immediately.

Generated by OpenCVE AI on April 20, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145. Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Thu, 13 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145.
Title Incorrect boundary conditions in the Graphics: WebGPU component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:10.756Z

Reserved: 2025-11-11T15:12:27.565Z

Link: CVE-2025-13022

cve-icon Vulnrichment

Updated: 2025-11-13T15:23:37.054Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:39.287

Modified: 2026-04-13T15:16:43.687

Link: CVE-2025-13022

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-11T15:47:13Z

Links: CVE-2025-13022 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses