Firefox 139/ESR 128.11 Security Update: CVE-2025-5262 Double-Free & Local Code Execution

Critical Vulnerability Information CVE-2025-5262: Double-free in libvpx encoder Impact: critical Description: In the libvpx encoder, a double-free vulnerability may occur if an error happens during encoder initialization, potentially leading to memory corruption and exploitable crashes. CVE-2025-5263: Error handling for script execution was incorrectly isolated from web content Impact: moderate Description: Error handling for script execution was not properly isolated from web content, potentially enabling cross-origin information leakage attacks. CVE-2025-5264: Potential local code execution in "Copy as cURL" command Impact: moderate Description: Due to improper escaping of newline characters in the "Copy as cURL" feature, attackers could trick users into using this command, leading to local code execution on the user's system. CVE-2025-5265: Potential local code execution in "Copy as cURL" command Impact: moderate Description: Due to improper escaping of newline characters in the "Copy as cURL" feature, attackers could trick users into using this command, leading to local code execution on the user's system. This vulnerability affects only Firefox for Windows; other versions of Firefox are unaffected. CVE-2025-5266: Script element events leaked cross-origin resource status Impact: moderate Description: Script element events generated by cross-origin resources leaked information about loading and error events, potentially enabling XSS-based information leakage attacks. CVE-2025-5267: Clickjacking vulnerability could have led to leaking saved payment card details Impact: low Description: A clickjacking vulnerability could be exploited to trick users into revealing saved payment card details to malicious websites. CVE-2025-5268: Memory safety bugs fixed in Firefox 139, Thunderbird 139, Firefox ESR 128.11, and Thunderbird 128.11 Impact: moderate Description: Memory safety vulnerabilities present in Firefox 138, Thunderbird 138, Firefox ESR 128.10, and Thunderbird 128.10, some of which showed evidence of memory corruption. We assume these could potentially be exploited to execute arbitrary code. CVE-2025-5269: Memory safety bug fixed in Firefox ESR 128.11 and Thunderbird 128.11 Impact: moderate Description: A memory safety vulnerability present in Firefox ESR 128.10 and Thunderbird 128.10, showing evidence of memory corruption. We assume this could potentially be exploited to execute arbitrary code.

Goal Reached Thanks to every supporter — we hit 100%!

Firefox 139/ESR 128.11 Security Update: CVE-2025-5262 Double-Free & Local Code Execution

More from this source