CVE-2025-5262

Published: May 27, 2025Modified: Sep 19, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.

Affected (2)

Products: Mozilla: Thunderbird

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Mozilla Thunderbird	Before 139.0
Mozilla Thunderbird	Before 128.11.0

Related CWEs

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References (3)

https://bugzilla.mozilla.org/show_bug.cgi?id=1962421

Source: security@mozilla.org

Issue TrackingPermissions Required

https://www.mozilla.org/security/advisories/mfsa2025-45/

Source: security@mozilla.org

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2025-46/

Source: security@mozilla.org

Vendor Advisory

Timeline

No history available yet.