Description
Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.
Published: 2025-11-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape that can lead to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from incorrect boundary checks in the Graphics: WebGPU component, which allows a malicious actor to escape the sandbox and write beyond intended memory limits. The exploitation can compromise the confidentiality, integrity, and availability of the host system, potentially enabling full control over the affected application and, by extension, the underlying operating system. The weakness is characterized by CWE‑787 (Out‑of‑Bounds Write) and CWE‑703 (Incorrect Resource Usage).

Affected Systems

Mozilla Firefox and Thunderbird versions released before 145 are affected. The fix was applied in Firefox 145 and Thunderbird 145, so any instance running a prior release is vulnerable. The issue is not vendor‑specific beyond these products and does not affect other Mozilla applications.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity level. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to involve malicious WebGPU code executed in a web page or mail message, which could be delivered locally or remotely depending on the user’s browsing or email habits. If such code runs, the sandbox escape can allow arbitrary code execution with the same privileges as the application. The risk remains high until the vulnerability is mitigated.

Generated by OpenCVE AI on April 20, 2026 at 19:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox and Thunderbird to version 145 or newer, which includes the WebGPU boundary check fix.
  • If an upgrade cannot be performed immediately, disable the WebGPU feature by setting dom.webgpu.enabled to false in the about:config preferences of Firefox and Thunderbird.
  • Continuously monitor Mozilla security advisories for any additional patches or workarounds related to WebGPU to ensure ongoing protection.

Generated by OpenCVE AI on April 20, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145. Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 145 and Thunderbird 145.

Wed, 19 Nov 2025 19:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145. Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145 and Thunderbird < 145.
References

Mon, 17 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

Thu, 13 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-703
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Wed, 12 Nov 2025 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 11 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 145.
Title Sandbox escape due to incorrect boundary conditions in the Graphics: WebGPU component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T14:26:18.949Z

Reserved: 2025-11-11T15:12:29.824Z

Link: CVE-2025-13023

cve-icon Vulnrichment

Updated: 2025-11-13T15:19:45.744Z

cve-icon NVD

Status : Modified

Published: 2025-11-11T16:15:39.403

Modified: 2026-04-13T15:16:43.857

Link: CVE-2025-13023

cve-icon Redhat

Severity : Important

Publid Date: 2025-11-11T15:47:13Z

Links: CVE-2025-13023 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:15:15Z

Weaknesses