Mozilla has released urgent security updates for Firefox to fix a critical vulnerability that could let attackers run arbitrary code on users’ systems without any interaction.
The flaw, identified as CVE-2025-5262, was detailed in a security advisory published by the Mozilla Foundation. Experts describe it as a high-risk issue because it can be exploited during normal web browsing, with no input required from the user.
Vulnerability in libvpx
The issue lies in the libvpx library, which Firefox uses for encoding and decoding VP8 and VP9 video in WebRTC communications. It is a double-free memory corruption error that occurs in the vpx_codec_enc_init_multi function.
This function fails during encoder setup when memory allocation goes wrong. According to Mozilla, this leads to memory corruption and a crash that could be exploited to run malicious code.
“A double-free could have occurred in vpx_codec_enc_init_multi after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash,” the advisory stated.
The root cause is in the vp8e_init() function. When vp8_create_compressor() fails, the encoder still takes ownership of certain memory. This leads to confusion and results in the same memory being freed twice, triggering the vulnerability.
Risk Summary
| Risk Factor | Details |
|---|---|
| Affected Products |
|
| Impact | Arbitrary code execution |
| Exploit Prerequisites |
|
| CVSS 3.1 Score | 9.8 (Critical) |
Why This Matters
WebRTC is a widely used protocol that enables real-time communication in browsers, such as video calls and interactive applications. Because this vulnerability lies in WebRTC, it could be exploited in many common use cases.
Security experts warn that similar flaws in the libvpx library have been used in the past by commercial surveillance vendors to compromise systems.
How to Stay Safe
Mozilla has released patched versions of Firefox to fix the issue:
- Firefox 139
- Firefox ESR 128.11
- Firefox ESR 115.24
The fix, contributed by James Zern of Google, ensures that memory variables are properly cleared on failure, preventing the double-free problem.
Users should update their browsers immediately to stay protected. To check for updates, open the Firefox menu, go to “Help,” and click “About Firefox.” The browser will search for updates and prompt for a restart if needed.
