Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
The vulnerability results from improper handling of boundary conditions in the component responsible for processing audio and video in the WebRTC protocol. An attacker can provide specially crafted media data over the network, leading to memory integrity violation or other improper application behavior. Due to the lack of detailed technical information (CWE: NVD-CWE-noinfo), the exact exploitation mechanism is not publicly documented.
Successful exploitation of this vulnerability may allow an attacker to obtain sensitive data, compromise system integrity, or cause application unavailability — with the highest level of impact on confidentiality, integrity, and availability according to the CVSS vector.
Software should be updated to the following versions: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8, in accordance with the manufacturer's recommendations published in Mozilla security advisories (MFSA2026-13 through MFSA2026-16).
Mozilla Firefox prior to version 148, Mozilla Firefox ESR prior to versions 115.33 and 140.8, Mozilla Thunderbird prior to version 148, and Mozilla Thunderbird prior to version 140.8.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMozilla Firefox
APPMozilla< 115.33.0< 148.0128.0 – 140.8.0 (bez)Mozilla Thunderbird
APPMozilla< 140.8.0< 148.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...