The reported flaw resides in the audio and video playback subsystem of the Mozilla Firefox browser and Thunderbird client. Crafted media files can trigger an unhandled exception or resource exhaustion (CWE‑400 and CWE‑770), which causes the browser or client process to terminate unexpectedly. As a result, users experience a denial of service, with the application crashing or becoming unresponsive. No additional data confidentiality or integrity violations are disclosed, indicating the impact is limited to availability.

The weakness affects all builds of Mozilla Firefox and Thunderbird that include the vulnerable playback engine. Mozilla released a fix in release 150, meaning any version earlier than 150 is potentially susceptible. Users should verify their installed Firefox or Thunderbird version and note that the issue might affect multiple platforms, including Windows, macOS, and Linux, where the playback component is common across all flavors.

The CVSS score of 7.5 indicates a high severity denial of service risk. The flaw is a resource exhaustion vulnerability (CWE‑770) that can lead to application crashes when malformed media is processed. The EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, and no public exploits have been reported, suggesting a low‑to‑moderate threat level at present. Because the reported failure is triggered by malformed media, the likely attack vector is an untrusted source hosting or embedding media in a webpage that the user visits. Mitigation rests primarily on upgrading to the patched Firefox or Thunderbird 150 or later.