CVE-2025-6424 is a use-after-free vulnerability in the FontFaceSet implementation in Mozilla Firefox and Thunderbird. This memory safety bug can cause a crash that is potentially exploitable for arbitrary code execution. The vulnerability was reported by LJP and HexRabbit of the DEVCORE Research Team. It has been addressed and fixed in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. The vulnerability carries a CVSS v3.1 base score of 9.8, reflecting its critical impact and ease of exploitation over the network without requiring privileges or user interaction. Mozilla’s official security advisories (MFSA 2025-51 and MFSA 2025-52) provide detailed information and confirm the availability of patches.

Successful exploitation of this use-after-free vulnerability can lead to a potentially exploitable crash, allowing an attacker to execute arbitrary code on affected systems. Given the CVSS score of 9.8, the impact includes full confidentiality, integrity, and availability compromise. The vulnerability can be triggered remotely without any privileges or user interaction, making it highly dangerous if unpatched.

Mozilla has released official fixes for this vulnerability in Firefox 140, Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird 140, and Thunderbird 128.12. Users and administrators should update to these versions or later to mitigate the risk. Since this is not a cloud service vulnerability, patching the client software is required. Patch status is confirmed by the vendor advisories MFSA 2025-51 and MFSA 2025-52. No additional mitigations are indicated by the vendor advisory.