CVE-2025-6424
Published: 24 June 2025
Summary
CVE-2025-6424 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 21.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A use-after-free vulnerability in the FontFaceSet component can produce a potentially exploitable crash. The flaw affects versions of Firefox and Thunderbird prior to the fixed releases of Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
Remote attackers can trigger the issue over the network without authentication or user interaction, resulting in arbitrary code execution or a denial-of-service condition consistent with the CVSS 9.8 rating and CWE-416 classification.
Mozilla advisories MFSA2025-51, MFSA2025-52, MFSA2025-53, and MFSA2025-54, along with the referenced Bugzilla entry, direct users to apply the listed updates as the primary mitigation.
The associated EPSS score has remained flat at 0.0110 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19086
Vulnerability details
A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability was fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.