Mozilla has recently released emergency security updates to address a critical vulnerability in Firefox, identified as CVE-2025-5262. This flaw enables attackers to execute arbitrary code on victims’ systems without requiring any user interaction beyond standard browsing activities. The vulnerability resides in the libvpx library, which Firefox utilizes for VP8 and VP9 video encoding and decoding within WebRTC communications.
Understanding the Vulnerability
The core issue is a double-free memory corruption in the `vpx_codec_enc_init_multi` function of libvpx. This function is responsible for initializing the encoder for WebRTC. The flaw occurs when the function mishandles failed memory allocations during the encoder’s initialization process. Specifically, in the `vp8e_init()` function, the encoder incorrectly assumes ownership of `mr_cfg.mr_low_res_mode_info` even if `vp8_create_compressor()` fails. This mismanagement leads both the caller and the `vpx_codec_destroy()` function to free the same memory block, resulting in a double-free condition. Such memory corruption can cause exploitable crashes, potentially allowing attackers to execute arbitrary code on the affected system.
Affected Versions and Impact
The vulnerability affects the following versions of Firefox:
– Firefox versions prior to 139.0
– Firefox ESR versions prior to 128.11
– Firefox ESR versions prior to 115.24
Given the widespread use of WebRTC for real-time communications, including video conferencing and other interactive web features, this vulnerability poses a significant risk. Notably, previous vulnerabilities in the libvpx library have been actively exploited by commercial surveillance vendors, underscoring the potential for malicious use.
Mitigation and Recommendations
Mozilla has addressed this critical issue in the following releases:
– Firefox 139.0
– Firefox ESR 128.11
– Firefox ESR 115.24
These updates were made available on May 27, 2025. The fix, contributed by James Zern from Google, ensures that `mr_` related variables are cleared upon failure, thereby preventing the double-free condition.
Users are strongly advised to update their browsers immediately to the latest versions to mitigate the risk associated with this vulnerability. To verify and apply updates in Firefox, navigate to the Firefox menu, select Help, and click on About Firefox. The browser will automatically check for updates and prompt for a restart if an update is available.
Conclusion
The discovery of CVE-2025-5262 highlights the critical importance of promptly addressing security vulnerabilities, especially those that can be exploited without user interaction. By updating to the latest versions of Firefox, users can protect themselves against potential attacks leveraging this flaw. Staying vigilant and ensuring software is up-to-date remains a fundamental practice in maintaining cybersecurity.
