Analysis Summary

Mozilla has released emergency security updates to address a critical vulnerability (CVE-2025-5262) in Firefox that could allow arbitrary code execution on victims’ systems without any user interaction. The flaw, disclosed on May 27, 2025, is highly dangerous due to its zero-click nature, meaning simply browsing a malicious webpage is enough for exploitation. The issue lies within the libvpx library, used by Firefox for VP8/VP9 video processing in WebRTC, a protocol enabling real-time audio and video communication directly through the browser.

The vulnerability is caused by a double-free memory corruption in the vpx_codec_enc_init_multi function, triggered during failed memory allocations when initializing the video encoder. Specifically, a logic flaw in the vp8e_init() function allowed ownership of a memory pointer (mr_low_res_mode_info) to be taken even if the compressor creation (vp8_create_compressor()) failed. This inconsistency caused both the calling function and vpx_codec_destroy() to attempt freeing the same memory block, leading to memory corruption and a potentially exploitable crash.

All versions of Firefox prior to 139.0, Firefox ESR prior to 128.11, and Firefox ESR prior to 115.24 are affected. With a CVSS v3.1 score of high, this vulnerability is rated as critical due to its ease of exploitation and significant impact. The fact that it resides in WebRTC, a widely-used technology for browser-based video conferencing, heightens its risk. Notably, similar vulnerabilities in libvpx have been actively exploited by surveillance vendors in the past, further emphasizing the urgency of patching this flaw.

Mozilla has addressed the issue in Firefox 139 and updated ESR versions (128.11 and 115.24), implementing a fix by James Zern from Google, which ensures that mr_* variables are properly cleared upon failure, preventing the double-free condition. Users are strongly advised to update immediately to protect against possible attacks. To verify the update, users should open the Firefox menu, go to “Help” > “About Firefox”, where the browser will automatically check for and apply updates. Keeping the browser up-to-date is essential to maintaining system security.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-5262

Affected Vendors

Affected Products

• Mozilla Firefox
• Mozilla Firefox ESR

Remediation

• Refer to Mozilla Security Advisory for patch, upgrade, or suggested workaround information.
• Firefox will check for updates and prompt you to restart if an update is available.
• Ensure all endpoints (desktops, laptops, managed systems) using Firefox are updated.
• Include enterprise environments and personal devices.
• Use browser settings or extensions to disable WebRTC until the update is applied, especially in high-risk environments.
• Confirm Firefox is set to automatically install updates to avoid delays in future patches.
• Watch for any suspicious behavior related to browser crashes or memory issues.
• Consider endpoint detection tools to monitor exploitation attempts.