CVE-2025-11719 — Use After Free in Mozilla Firefox

CWE-416 — Use After Free8 documents7 sources

Severity

9.8CRITICALNVD

EPSS

0.1%

top 81.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Thunderbird

Timeline

PublishedOct 14

Description

Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corruption. This vulnerability was fixed in Firefox 144 and Thunderbird 144.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDmozilla/thunderbird143.0 — 144.0

▶NVDmozilla/firefox143.0 — 144.0

🔴Vulnerability Details

CVEList

Use-after-free caused by the native messaging web extension API on Windows↗2025-10-14

▶

OSV

CVE-2025-11719: Starting in Thunderbird 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory co↗2025-10-14

▶

GHSA

GHSA-wvmm-cxmc-39xj: Starting in Firefox 143, the use of the native messaging API by web extensions on Windows could lead to crashes caused by use-after-free memory corrup↗2025-10-14

▶

📋Vendor Advisories

Red Hat

thunderbird: firefox: Use-after-free caused by the native messaging web extension API on Windows↗2025-10-14

▶

Debian

CVE-2025-11719: firefox - Starting in Thunderbird 143, the use of the native messaging API by web extensio...↗2025

▶

Mozilla

Mozilla Foundation Security Advisory 2025-84: CVE-2025-11719↗

▶

Mozilla

Mozilla Foundation Security Advisory 2025-81: CVE-2025-11719↗

▶