CVE-2025-5262

high

Description

A double-free could have occurred in `vpx_codec_enc_init_multi` after a failed allocation when initializing the encoder for WebRTC. This could have caused memory corruption and a potentially exploitable crash. This vulnerability affects Thunderbird < 139 and Thunderbird < 128.11.

References

https://www.mozilla.org/security/advisories/mfsa2025-46/

https://www.mozilla.org/security/advisories/mfsa2025-45/

https://bugzilla.mozilla.org/show_bug.cgi?id=1962421

Details

Source: Mitre, NVD

Published: 2025-05-27

Updated: 2025-09-19

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00025