Based on the description, it is inferred that the audio and video playback component has incorrect boundary checks, which can allow the parser to read beyond the intended buffer when processing malformed media files. Although the update does not explicitly mention a crash or data leak, such over‑read can lead to a memory corruption event that may cause the application to crash or expose unexpected data.

The vulnerability affects all releases of Mozilla Firefox and Thunderbird that use the legacy audio/video playback component before the patch was applied in the ESR branches and the newer releases. Specifically, any Firefox or Thunderbird version older than Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, or Firefox ESR 115.35.2 is susceptible. Users should verify that their build precedes those fixed versions and apply the corresponding update.

The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, so the current exploitation probability is unknown. No CVSS score is provided, but memory corruption in a browser component is generally considered a high‑risk class vulnerability. Based on the description, it is inferred that the likely attack vector is delivering a malformed media file via a webpage or malicious download, potentially triggering a crash or data leak. The risk is elevated for environments that routinely encounter untrusted media content, and timely remediation is advised.