CVE-2025-14321 – A use-after-free vulnerability in the WebRTC si... (How to Fix)

Q: How do I fix CVE-2025-14321?

1. Open the browser/application. 2. Go to Settings/Preferences > General/About. 3. Allow automatic update or manually download from official Mozilla sites. 4. Restart the application.

Q: What is the severity of CVE-2025-14321?

CVE-2025-14321 has a CVSS score of 9.8 (CRITICAL). A use-after-free vulnerability in the WebRTC signaling component allows attackers to execute arbitrary code or cause a crash by manipulating memory after it has been freed. This affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Successful exploitation could lead to remote code execution.

📋 TL;DR

A use-after-free vulnerability in the WebRTC signaling component allows attackers to execute arbitrary code or cause a crash by manipulating memory after it has been freed. This affects Firefox, Firefox ESR, and Thunderbird users running outdated versions. Successful exploitation could lead to remote code execution.

💻 Affected Systems

Products:

Firefox
Firefox ESR
Thunderbird

Versions: Firefox < 146, Firefox ESR < 140.6, Thunderbird < 146, Thunderbird < 140.6

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable when WebRTC is enabled (default).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the same privileges as the browser process, potentially leading to full system compromise.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within sandbox constraints.

🟢

If Mitigated

No impact if patched versions are deployed with proper sandboxing and exploit mitigations.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and process untrusted content.

🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or phishing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering the use-after-free condition via WebRTC signaling, which may involve crafted web content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 146, Firefox ESR 140.6, Thunderbird 146, Thunderbird 140.6

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-92/

Restart Required: Yes

Instructions:

1. Open the browser/application. 2. Go to Settings/Preferences > General/About. 3. Allow automatic update or manually download from official Mozilla sites. 4. Restart the application.

🔧 Temporary Workarounds

Disable WebRTC

all

Disables the vulnerable component but breaks WebRTC functionality (video calls, etc.).

about:config -> media.peerconnection.enabled = false

🧯 If You Can't Patch

Restrict browser usage to trusted sites only via policy.
Implement application whitelisting to block execution of vulnerable versions.

🔍 How to Verify

Check if Vulnerable:

Check browser version in About dialog; if below patched versions, it's vulnerable.

Check Version:

firefox --version or thunderbird --version on command line; or check in GUI.

Verify Fix Applied:

Confirm version is at or above Firefox 146, Firefox ESR 140.6, Thunderbird 146, or Thunderbird 140.6.

📡 Detection & Monitoring

Log Indicators:

Browser crash logs referencing WebRTC or signaling components
Unexpected process termination

Network Indicators:

Unusual WebRTC signaling traffic to/from browsers
Exploit kit traffic patterns

SIEM Query:

source="browser_logs" AND (event="crash" OR event="exception") AND process="firefox" OR process="thunderbird"

📊 Metadata

CVE ID: CVE-2025-14321

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: December 9, 2025

Last Updated: December 11, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1992760 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-92/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-94/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-95/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-96/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14321, you might also want to check these: