CVE-2025-14326 – A use-after-free vulnerability in the Gecko Med... (How to Fix)

Q: How do I fix CVE-2025-14326?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 146 or higher. 4. Restart the application when prompted.

Q: What is the severity of CVE-2025-14326?

CVE-2025-14326 has a CVSS score of 9.8 (CRITICAL). A use-after-free vulnerability in the Gecko Media Plugins (GMP) component of Firefox and Thunderbird allows attackers to execute arbitrary code or cause denial of service. This affects Firefox versions before 146 and Thunderbird versions before 146. Attackers can exploit this by tricking users into visiting malicious web pages.

📋 TL;DR

A use-after-free vulnerability in the Gecko Media Plugins (GMP) component of Firefox and Thunderbird allows attackers to execute arbitrary code or cause denial of service. This affects Firefox versions before 146 and Thunderbird versions before 146. Attackers can exploit this by tricking users into visiting malicious web pages.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Thunderbird

Versions: Firefox < 146, Thunderbird < 146

Operating Systems: Windows, Linux, macOS, Android

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The GMP component is enabled by default for media playback.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with system-level privileges, potentially leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within the browser sandbox, potentially stealing session cookies, credentials, or installing malware.

🟢

If Mitigated

Browser crash with no data loss if sandboxing works properly, or exploitation blocked by security controls like DEP/ASLR.

🌐 Internet-Facing: HIGH - Exploitable via malicious web content without user interaction beyond visiting a page.

🏢 Internal Only: MEDIUM - Requires user to visit malicious internal site or open malicious email in Thunderbird.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

CVSS 9.8 indicates critical severity with network-based exploitation without authentication. Use-after-free vulnerabilities in browsers are frequently exploited in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 146, Thunderbird 146

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-92/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 146 or higher. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable GMP component

all

Temporarily disable Gecko Media Plugins to prevent exploitation via media content

about:config → Set 'media.gmp.enabled' to false

Disable JavaScript

all

Prevent JavaScript execution which is typically required for exploitation

about:config → Set 'javascript.enabled' to false

🧯 If You Can't Patch

Restrict browser usage to trusted websites only
Implement application whitelisting to block Firefox/Thunderbird execution

🔍 How to Verify

Check if Vulnerable:

Check browser version: Firefox → Help → About Firefox; Thunderbird → Help → About Thunderbird

Check Version:

firefox --version (Linux) or check About menu (Windows/macOS)

Verify Fix Applied:

Confirm version is 146 or higher in About dialog

📡 Detection & Monitoring

Log Indicators:

Browser crash reports with GMP-related stack traces
Unexpected browser process termination

Network Indicators:

Requests to known malicious domains serving exploit code
Unusual outbound connections after visiting web pages

SIEM Query:

source="firefox.log" AND ("crash" OR "segfault") AND "GMP" OR source="thunderbird.log" AND process_termination

📊 Metadata

CVE ID: CVE-2025-14326

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

EPSS Score: 0.06% exploit probability (17.6th percentile)

Published: December 9, 2025

Last Updated: December 11, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1840666 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-92/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-95/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14326, you might also want to check these: