CVE-2025-14861 - Vulnerability Details

- Memory safety bugs fixed in Firefox 146.0.1

Description

Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146.0.1.

Published: 2025-12-18

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue involves memory safety bugs in Mozilla Firefox 146 that can corrupt memory, with evidence that insufficiently validated data could be abused to execute arbitrary code. The vulnerability is categorized as CWE-119 – an uncontrolled memory write that can lead to arbitrary control‑flow hijacking. The official description notes that while not all bugs demonstrated an immediate exploit, the presence of memory corruption suggests that, with sufficient effort, an attacker might achieve remote code execution by crafting malicious content.

Affected Systems

Affected products include Mozilla Firefox 146.x builds prior to the 146.0.1 release. Any installation of Firefox that has not been updated to 146.0.1 or later is vulnerable. The fix was applied in the 146.0.1 patch bundle, so systems running that or newer versions are not affected.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity due to the potential for arbitrary code execution, but the EPSS score of less than 1% indicates that the vulnerability is presently unlikely to see widespread exploitation. It is not listed in the CISA KEV catalog, further suggesting a low exploitation probability. Attackers would need to deliver crafted memory corruption through user‑controllable input—such as a malicious web page or unsecured extension—to trigger the vulnerability, making active exploitation both technically demanding and relatively rare.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`146.0.1`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*

No data.

Vendor	Product	Confidence	Versions
Mozilla	Firefox	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Mozilla Firefox to version 146.0.1 or any newer release that contains the memory safety fixes.
Ensure that all browser instances are kept current by enabling automatic updates or regularly checking for new releases.
If an immediate upgrade is not feasible, restrict browser usage to trusted sites, disable or uninstall extensions that may interact with internal memory, and consider using a sandboxed or separate user profile for browsing external content.

Generated by OpenCVE AI on April 20, 2026 at 17:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1996570%2C1999700
https://www.mozilla.org/security/advisories/mfsa2025-98/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1.	Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 146.0.1.

Tue, 30 Dec 2025 20:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::*

Fri, 19 Dec 2025 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Thu, 18 Dec 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 18 Dec 2025 14:30:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bugs present in Firefox 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 146.0.1.
Title		Memory safety bugs fixed in Firefox 146.0.1
References		https://bugzilla.mozilla.org/buglist.cgi?bug_id=1996570%2C1999700 https://www.mozilla.org/security/advisories/mfsa2025-98/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-12-18T14:21:14.680Z

Updated: 2026-04-13T14:30:33.420Z

Reserved: 2025-12-18T00:22:11.950Z

Link: CVE-2025-14861

Vulnrichment

Updated: 2025-12-18T15:39:20.216Z

NVD

Status : Modified

Published: 2025-12-18T15:15:53.157

Modified: 2026-04-13T15:16:47.820

Link: CVE-2025-14861

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T17:45:12Z

Weaknesses

CWE-119

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object