CVE-2025-1012
Published: 04 February 2025
Description
A race during concurrent delazification could have led to a use-after-free. This vulnerability was fixed in Firefox 135, Firefox ESR 115.20, Firefox ESR 128.7, Thunderbird 128.7, and Thunderbird 135.
Security Summary
CVE-2025-1012 is a use-after-free vulnerability (CWE-416) caused by a race condition during concurrent delazification in Mozilla Firefox and Thunderbird. The flaw affects versions of Firefox prior to 135, Firefox ESR prior to 115.20 and 128.7, Thunderbird prior to 128.7 and 135. It was publicly disclosed on 2025-02-04 and carries a CVSS v3.1 base score of 7.5.
The vulnerability can be exploited remotely over the network (AV:N) by attackers requiring no privileges (PR:N), though exploitation demands high complexity (AC:H) and user interaction (UI:R), with no change in scope (S:U). Successful attacks could achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially enabling arbitrary code execution or memory corruption in the browser context.
Mozilla's security advisories (MFSA2025-07, MFSA2025-08, MFSA2025-09, and MFSA2025-10), along with Bugzilla entry 1939710, confirm the issue was addressed in the specified fixed releases. Mitigation involves updating affected Firefox and Thunderbird installations to the patched versions as soon as possible.
Details
- CWE(s)