Cyber Resilience

CVE-2025-6424

Critical

Published: 24 June 2025

Published
24 June 2025
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0110 78.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-6424 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A use-after-free vulnerability in the FontFaceSet component can produce a potentially exploitable crash. The flaw affects versions of Firefox and Thunderbird prior to the fixed releases of Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

Remote attackers can trigger the issue over the network without authentication or user interaction, resulting in arbitrary code execution or a denial-of-service condition consistent with the CVSS 9.8 rating and CWE-416 classification.

Mozilla advisories MFSA2025-51, MFSA2025-52, MFSA2025-53, and MFSA2025-54, along with the referenced Bugzilla entry, direct users to apply the listed updates as the primary mitigation.

The associated EPSS score has remained flat at 0.0110 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mozilla
firefox
≤ 115.25.0 · ≤ 140.0 · 116.0 — 128.12.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References