CVE-2025-5262 – A double-free vulnerability in Thunderbird's We... (How to Fix)

Q: How do I fix CVE-2025-5262?

1. Open Thunderbird. 2. Click Help > About Thunderbird. 3. Allow automatic update to complete. 4. Restart Thunderbird when prompted.

Q: What is the severity of CVE-2025-5262?

CVE-2025-5262 has a CVSS score of 7.5 (HIGH). A double-free vulnerability in Thunderbird's WebRTC encoder initialization could cause memory corruption and potentially exploitable crashes. This affects Thunderbird email clients on all platforms. Attackers could exploit this to crash Thunderbird or potentially execute arbitrary code.

📋 TL;DR

A double-free vulnerability in Thunderbird's WebRTC encoder initialization could cause memory corruption and potentially exploitable crashes. This affects Thunderbird email clients on all platforms. Attackers could exploit this to crash Thunderbird or potentially execute arbitrary code.

💻 Affected Systems

Products:

Mozilla Thunderbird

Versions: Thunderbird < 139 and Thunderbird < 128.11

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers during WebRTC encoder initialization, which occurs when handling certain media content

📦 What is this software?

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise via malicious email or web content

🟠

Likely Case

Application crash causing denial of service and potential data loss

🟢

If Mitigated

Limited impact with proper sandboxing and memory protection mechanisms

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires triggering the double-free condition through WebRTC initialization failure

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Thunderbird 139 or Thunderbird 128.11

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2025-45/

Restart Required: Yes

Instructions:

1. Open Thunderbird. 2. Click Help > About Thunderbird. 3. Allow automatic update to complete. 4. Restart Thunderbird when prompted.

🔧 Temporary Workarounds

Disable WebRTC

all

Prevent WebRTC initialization by disabling related features

about:config -> media.peerconnection.enabled = false

🧯 If You Can't Patch

Restrict Thunderbird from processing untrusted media content
Implement application sandboxing and memory protection controls

🔍 How to Verify

Check if Vulnerable:

Check Thunderbird version in Help > About Thunderbird

Check Version:

thunderbird --version

Verify Fix Applied:

Confirm version is Thunderbird 139 or Thunderbird 128.11 or later

📡 Detection & Monitoring

Log Indicators:

Thunderbird crash reports
Memory access violation errors
WebRTC initialization failures

Network Indicators:

Unusual media content delivery to Thunderbird clients

SIEM Query:

source="thunderbird" AND (event_type="crash" OR error="memory corruption")

📊 Metadata

CVE ID: CVE-2025-5262

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-415

EPSS Score: 0.09% exploit probability (24.9th percentile)

Published: May 27, 2025

Last Updated: September 19, 2025

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 Issue Tracking,Permissions Required
https://www.mozilla.org/security/advisories/mfsa2025-45/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2025-46/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5262, you might also want to check these: