CVE-2025-5262 - Vulnerability Details

This CVE was accidentally assigned by Mozilla but should be assigned by another CNA. When the correct CVE is available, Mozilla's advisories will be updated to reflect that identifier.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://www.cve.org/CVERecord?id=CVE-2025-5262

History

Thu, 29 May 2025 17:30:00 +0000

Type	Values Removed	Values Added
Title		firefox: thunderbird: Double-free in libvpx encoder
Weaknesses		CWE-415
References		https://www.cve.org/CVERecord?id=CVE-2025-5262
Metrics	threat_severity `None`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` threat_severity `Critical`

Tue, 27 May 2025 18:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-415
References	https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 https://www.mozilla.org/security/advisories/mfsa2025-42/ https://www.mozilla.org/security/advisories/mfsa2025-43/ https://www.mozilla.org/security/advisories/mfsa2025-44/
Metrics	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Tue, 27 May 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 27 May 2025 17:45:00 +0000

Type	Values Removed	Values Added
Description	A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.	This CVE was accidentally assigned by Mozilla but should be assigned by another CNA. When the correct CVE is available, Mozilla's advisories will be updated to reflect that identifier.

Tue, 27 May 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-415
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 27 May 2025 12:45:00 +0000

Type	Values Removed	Values Added
Description		A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Firefox < 139, Firefox ESR < 115.24, and Firefox ESR < 128.11.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1962421 https://www.mozilla.org/security/advisories/mfsa2025-42/ https://www.mozilla.org/security/advisories/mfsa2025-43/ https://www.mozilla.org/security/advisories/mfsa2025-44/

MITRE

Status: REJECTED

Assigner: mozilla

Published: 2025-05-27T12:29:21.813Z

Updated: 2025-05-27T17:20:44.465Z

Reserved: 2025-05-27T12:29:21.325Z

Link: CVE-2025-5262

Vulnrichment

Updated:

NVD

Status : Rejected

Published: 2025-05-27T13:15:21.980

Modified: 2025-05-27T18:15:31.980

Link: CVE-2025-5262

Redhat

Severity : Critical

Publid Date: 2025-05-27T00:00:00Z

Links: CVE-2025-5262 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object