CVE-2025-1930

High

Published: 04 March 2025

Published

04 March 2025

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0034 56.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1930 is a high-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 43.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the use-after-free vulnerability by requiring timely patching of affected Firefox and Thunderbird versions to fix the AudioIPC StreamData handling flaw.

SI-10 Information Input Validation partial match

prevent

Addresses malformed StreamData inputs over AudioIPC by enforcing validation in the Browser process to prevent triggering the use-after-free condition.

SI-16 Memory Protection partial match

prevent

Provides memory protections such as ASLR and DEP to mitigate exploitation of the use-after-free in the Browser process following content process compromise.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

Use-after-free in browser process enables sandbox escape from compromised content process, directly facilitating client-side code execution (T1203), privilege escalation to browser process (T1068), and evasion of sandbox defenses (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox…

ESR 128.8, Thunderbird 136, and Thunderbird 128.8.

Deeper analysisAI

CVE-2025-1930 is a use-after-free vulnerability (CWE-416) affecting the Browser process in Firefox and Thunderbird on Windows. It occurs when a compromised content process sends malformed StreamData over AudioIPC, triggering the use-after-free condition. The vulnerability impacts Firefox versions prior to 136, Firefox ESR prior to 115.21 and 128.8, Thunderbird prior to 136, and Thunderbird prior to 128.8. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker who first compromises a content process—such as through a separate renderer exploit—can send crafted AudioIPC StreamData to the Browser process, leading to a use-after-free. This enables a sandbox escape, allowing the attacker to execute code outside the content process sandbox with the privileges of the Browser process. Exploitation requires user interaction and is feasible over the network with low complexity and no privileges.

Mozilla addressed the issue in the specified fixed releases, as detailed in security advisories MFSA 2025-14 through MFSA 2025-17 and Bugzilla entry 1902309. Security practitioners should prioritize updating affected Firefox and Thunderbird installations on Windows to the patched versions to mitigate the risk of sandbox escape following content process compromise.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.21.0 · ≤ 136.0 · 116.0 — 128.8.0

mozilla

thunderbird

≤ 128.8 · 1.28.8 — 136.0

CVEs Like This One

CVE-2026-0884Same product: Mozilla Firefox

CVE-2026-2787Same product: Mozilla Firefox

CVE-2026-2767Same product: Mozilla Firefox

CVE-2026-2763Same product: Mozilla Firefox

CVE-2026-2789Same product: Mozilla Firefox

CVE-2026-2765Same product: Mozilla Firefox

CVE-2026-2758Same product: Mozilla Firefox

CVE-2026-2770Same product: Mozilla Firefox

CVE-2026-2764Same product: Mozilla Firefox

CVE-2026-2797Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1902309
Issue Tracking · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-14/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-17/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2025-18/
Vendor Advisory · security@mozilla.org