Login Sign Up

CVE-2025-6424

9.8 CRITICAL

📋 TL;DR

A use-after-free vulnerability in Firefox's FontFaceSet implementation allows memory corruption that could lead to arbitrary code execution. This affects Firefox, Firefox ESR, and Thunderbird users running vulnerable versions. Attackers could exploit this to compromise affected browsers.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
Versions: Firefox < 140, Firefox ESR < 115.25, Firefox ESR < 128.12, Thunderbird < 140, Thunderbird < 128.12
Operating Systems: All platforms where affected browsers run
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable; no special settings required.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the browser process, potentially leading to full system compromise.

🟠

Likely Case

Browser crash (denial of service) or limited code execution within browser sandbox.

🟢

If Mitigated

No impact if patched; browser sandbox may limit damage if exploited.

🌐 Internet-Facing: HIGH - Web browsers are inherently internet-facing and process untrusted content.
🏢 Internal Only: MEDIUM - Internal users could be targeted via malicious internal sites or emails.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Use-after-free vulnerabilities typically require specific memory manipulation techniques but are frequently exploited in browser attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, Thunderbird 128.12

Vendor Advisory: https://www.mozilla.org/security/advisories/

Restart Required: Yes

Instructions:

1. Open browser settings 2. Navigate to 'About Firefox/Thunderbird' 3. Allow automatic update check and installation 4. Restart browser when prompted

🔧 Temporary Workarounds

Disable JavaScript

all

Prevents exploitation by disabling JavaScript execution, which is required for most browser-based attacks.

Use Content Security Policy

all

Implement strict CSP headers to limit script execution from untrusted sources.

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement network segmentation to limit browser access to sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check browser version in settings: Firefox/Thunderbird > Help > About

Check Version:

firefox --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

Confirm version is equal to or greater than patched versions listed above

📡 Detection & Monitoring

Log Indicators:

  • Browser crash reports with memory access violations
  • Unexpected browser process termination

Network Indicators:

  • Unusual outbound connections from browser process post-crash

SIEM Query:

source="browser_crash_logs" AND (event_type="crash" OR memory_access_violation="true")

📊 Metadata

CVE ID: CVE-2025-6424
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
EPSS Score: 0.17% exploit probability (38.3th percentile)
Published: June 24, 2025
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-6424, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)