CVE-2025-5262 — Double Free in Mozilla Thunderbird

CWE-415 — Double Free5 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 40.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Thunderbird

Timeline

PublishedMay 27

Description

A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5mozilla/thunderbirdunspecified — 139+1

▶NVDmozilla/thunderbird< 128.11.0+1

🔴Vulnerability Details

GHSA

GHSA-v5j6-fjmw-w724: A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC↗2025-05-27

▶

CVEList

CVE-2025-5262: A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC↗2025-05-27

▶

OSV

CVE-2025-5262: A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC↗2025-05-27

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Double-free in libvpx encoder↗2025-05-27

▶