Mozilla has launched Firefox 140, addressing a number of essential safety vulnerabilities, together with a high-impact use-after-free vulnerability that might result in code execution.
The replace patches twelve distinct safety flaws starting from reminiscence questions of safety to platform-specific vulnerabilities affecting each desktop and cellular variations of the browser.
Summary1. Firefox 140 addresses CVE-2025-6424, a excessive severity use-after-free bug in FontFaceSet may allow code execution assaults.2. Addressed a number of reminiscence corruption bugs (CVE-2025-6436) that might result in arbitrary code execution.3. macOS and Android-specific vulnerabilities together with file warning bypass and URL manipulation patched.4. 12 complete safety flaws fastened – speedy replace important for cover.
Excessive-Affect Safety Flaws Addressed
CVE-2025-6424: Use-after-free in FontFaceSet
CVE-2025-6424 is a high-impact use-after-free vulnerability found in Firefox’s FontFaceSet element by safety researchers LJP and HexRabbit from the DEVCORE Analysis Crew.
A use-after-free vulnerability happens when a program continues to make use of reminiscence after it has been freed or deallocated, resulting in reminiscence corruption.
On this particular case, the vulnerability exists in FontFaceSet, which is a part of Firefox’s font dealing with system that manages internet fonts and font loading operations.
When triggered, this flaw ends in a probably exploitable crash that attackers may leverage to execute arbitrary code on the sufferer’s system.
CVE-2025-6436: Reminiscence Security Bugs Assortment
CVE-2025-6436 encompasses a number of reminiscence security vulnerabilities that have been current in Firefox 139 and Thunderbird 139.
This CVE was reported by Mozilla’s inner safety group, together with Andrew McCreight, Gabriele Svelto, Beth Rennie, and the Mozilla Fuzzing Crew, indicating it was found by means of Mozilla’s ongoing safety testing processes.
In contrast to a single particular vulnerability, CVE-2025-6436 represents a set of reminiscence questions of safety that confirmed proof of reminiscence corruption.
Reminiscence security bugs can embody buffer overflows, use-after-free situations, double-free errors, and different reminiscence administration flaws.
Extra Safety Flaws
The replace additionally resolves CVE-2025-6425, a moderate-impact vulnerability the place the WebCompat WebExtension uncovered a persistent UUID that could possibly be used to trace customers throughout containers and shopping modes.
Safety researcher Rob Wu recognized a privateness concern that might enable attackers to fingerprint browsers persistently.
CVE-2025-6426, a low-impact flaw, impacts Firefox for macOS, the place executable information with the terminal extension would open with out correct warning dialogs, probably exposing customers to malicious software program execution. This vulnerability was reported by safety researcher pwn2car.
Android customers profit from fixes for 2 distinct points. CVE-2025-6428 addressed a URL manipulation vulnerability the place Firefox for Android would incorrectly comply with URLs laid out in hyperlink querystring parameters as a substitute of the meant vacation spot, probably facilitating phishing assaults.
Moreover, CVE-2025-6431 resolved a bypass mechanism for the exterior software immediate, which may expose customers to safety vulnerabilities in third-party functions.
The discharge contains fixes for a number of Content material Safety Coverage (CSP) bypass vulnerabilities.
CVE-2025-6427 addressed a connect-src directive bypass by means of subdocument manipulation, whereas CVE-2025-6430 resolved points with Content material-Disposition header dealing with in embed and object tags that might result in cross-site scripting assaults.
Customers ought to instantly replace to Firefox 140 to guard in opposition to these vulnerabilities.
The excellent nature of those fixes, notably the high-impact reminiscence questions of safety, makes this replace essential for sustaining browser safety.
System directors ought to prioritize deploying this replace throughout organizational networks to stop potential exploitation of the documented vulnerabilities.
Examine dwell malware habits, hint each step of an assault, and make sooner, smarter safety choices -> Strive ANY.RUN now
