Login Sign Up

CVE-2025-12380

9.8 CRITICAL

📋 TL;DR

A use-after-free vulnerability in Firefox's WebGPU implementation allows a compromised child process to trigger memory corruption in the GPU or browser process via IPC calls. This could enable sandbox escape from the child process sandbox. Affects Firefox versions 142 through 144.0.1.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: 142.0 to 144.0.1
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WebGPU to be enabled (default in affected versions). Firefox ESR versions may also be affected if they include the vulnerable code.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via sandbox escape leading to arbitrary code execution with browser process privileges, potentially enabling malware installation, data theft, or lateral movement.

🟠

Likely Case

Browser compromise leading to session hijacking, credential theft, or installation of malicious extensions/add-ons.

🟢

If Mitigated

Limited to browser compromise without system-level access if sandbox escape fails, but still enables data exfiltration from browser context.

🌐 Internet-Facing: HIGH - Firefox is commonly used for internet browsing, making any user visiting malicious sites potentially vulnerable.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or compromised internal sites, but requires user interaction.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires compromising a child process first, then leveraging the use-after-free for sandbox escape. No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 144.0.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-86/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will check for updates and prompt to install 144.0.2. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable WebGPU

all

Temporarily disable WebGPU feature to prevent exploitation

about:config
Set dom.webgpu.enabled to false

🧯 If You Can't Patch

  • Disable WebGPU via about:config as temporary mitigation
  • Restrict browser usage to trusted sites only until patching possible

🔍 How to Verify

Check if Vulnerable:

Check Firefox version: if between 142.0 and 144.0.1 inclusive, system is vulnerable.

Check Version:

firefox --version

Verify Fix Applied:

Verify Firefox version is 144.0.2 or higher via About Firefox dialog.

📡 Detection & Monitoring

Log Indicators:

  • Browser crash reports with WebGPU-related stack traces
  • Unexpected child process termination followed by browser process crashes

Network Indicators:

  • Unusual WebSocket or IPC traffic from browser processes
  • Connections to known malicious domains hosting WebGPU content

SIEM Query:

source="firefox" AND (event_type="crash" AND process="WebGPU") OR (event_type="sandbox_violation" AND component="gpu_process")

📊 Metadata

CVE ID: CVE-2025-12380
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.06% exploit probability (18.2th percentile)
Published: October 28, 2025
Last Updated: December 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12380, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)