Login Sign Up

CVE-2025-14860

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

A use-after-free vulnerability in Firefox's Disability Access APIs allows attackers to execute arbitrary code by manipulating freed memory. This affects all Firefox users running versions below 146.0.1, potentially leading to complete system compromise.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: All versions < 146.0.1
Operating Systems: Windows, macOS, Linux, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All standard Firefox installations are vulnerable. Extensions or custom configurations don't affect vulnerability status.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Browser crash leading to denial of service, with potential for limited code execution in sandboxed context.

🟢

If Mitigated

Browser crash without code execution if sandboxing holds, but potential for memory corruption still exists.

🌐 Internet-Facing: HIGH - Firefox is internet-facing by design and can be exploited through malicious websites.
🏢 Internal Only: MEDIUM - Internal users could be targeted through phishing or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Use-after-free vulnerabilities typically require specific memory manipulation techniques but can be reliably exploited with sufficient research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 146.0.1

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-98/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will automatically check for and install updates. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, which is typically required for this type of vulnerability.

about:config → javascript.enabled = false

Use Enhanced Tracking Protection Strict

all

Blocks more trackers and potentially malicious scripts.

Settings → Privacy & Security → Enhanced Tracking Protection → Strict

🧯 If You Can't Patch

  • Restrict Firefox to trusted websites only using network policies
  • Deploy application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in About Firefox (menu → Help → About Firefox). If version is less than 146.0.1, system is vulnerable.

Check Version:

firefox --version (Linux/macOS) or check About Firefox on Windows

Verify Fix Applied:

Confirm Firefox version is 146.0.1 or higher in About Firefox dialog.

📡 Detection & Monitoring

Log Indicators:

  • Firefox crash reports with memory access violations
  • Unexpected Firefox process termination
  • Access violations in system logs

Network Indicators:

  • Unusual outbound connections from Firefox process
  • Traffic to known malicious domains

SIEM Query:

process_name:"firefox.exe" AND (event_id:1000 OR event_id:1001) OR process_crash:true

📊 Metadata

CVE ID: CVE-2025-14860
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.07% exploit probability (20th percentile)
Published: December 18, 2025
Last Updated: December 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14860, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)