Mozilla has released Firefox 140, addressing multiple critical security vulnerabilities, including a high-impact use-after-free vulnerability that could lead to code execution.
The update patches twelve distinct security flaws ranging from memory safety issues to platform-specific vulnerabilities affecting both desktop and mobile versions of the browser.
Summary
1. Firefox 140 addresses CVE-2025-6424, a high severity use-after-free bug in FontFaceSet could enable code execution attacks.
2. Addressed multiple memory corruption bugs (CVE-2025-6436) that could lead to arbitrary code execution.
3. macOS and Android-specific vulnerabilities including file warning bypass and URL manipulation patched.
4. 12 total security flaws fixed - immediate update essential for protection.
High-Impact Security Flaws Addressed
CVE-2025-6424: Use-after-free in FontFaceSet
CVE-2025-6424 is a high-impact use-after-free vulnerability discovered in Firefox’s FontFaceSet component by security researchers LJP and HexRabbit from the DEVCORE Research Team.
.png
)
A use-after-free vulnerability occurs when a program continues to use memory after it has been freed or deallocated, leading to memory corruption.
In this specific case, the vulnerability exists in FontFaceSet, which is part of Firefox’s font handling system that manages web fonts and font loading operations.
When triggered, this flaw results in a potentially exploitable crash that attackers could leverage to execute arbitrary code on the victim’s system.
CVE-2025-6436: Memory Safety Bugs Collection
CVE-2025-6436 encompasses multiple memory safety vulnerabilities that were present in Firefox 139 and Thunderbird 139.
This CVE was reported by Mozilla’s internal security team, including Andrew McCreight, Gabriele Svelto, Beth Rennie, and the Mozilla Fuzzing Team, indicating it was discovered through Mozilla’s ongoing security testing processes.
Unlike a single specific vulnerability, CVE-2025-6436 represents a collection of memory safety issues that showed evidence of memory corruption.
Memory safety bugs can include buffer overflows, use-after-free conditions, double-free errors, and other memory management flaws.
Additional Security Flaws
The update also resolves CVE-2025-6425, a moderate-impact vulnerability where the WebCompat WebExtension exposed a persistent UUID that could be used to track users across containers and browsing modes.
Security researcher Rob Wu identified a privacy concern that could allow attackers to fingerprint browsers persistently.
CVE-2025-6426, a low-impact flaw, affects Firefox for macOS, where executable files with the terminal extension would open without proper warning dialogs, potentially exposing users to malicious software execution. This vulnerability was reported by security researcher pwn2car.
Android users benefit from fixes for two distinct issues. CVE-2025-6428 addressed a URL manipulation vulnerability where Firefox for Android would incorrectly follow URLs specified in link querystring parameters instead of the intended destination, potentially facilitating phishing attacks.
Additionally, CVE-2025-6431 resolved a bypass mechanism for the external application prompt, which could expose users to security vulnerabilities in third-party applications.
The release includes fixes for several Content Security Policy (CSP) bypass vulnerabilities.
CVE-2025-6427 addressed a connect-src directive bypass through subdocument manipulation, while CVE-2025-6430 resolved issues with Content-Disposition header handling in embed and object tags that could lead to cross-site scripting attacks.
Users should immediately update to Firefox 140 to protect against these vulnerabilities.
The comprehensive nature of these fixes, particularly the high-impact memory safety issues, makes this update critical for maintaining browser security.
System administrators should prioritize deploying this update across organizational networks to prevent potential exploitation of the documented vulnerabilities.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now




