HIGH 8.8
CVE-2025-1930
On Windows, a compromised content process could use bad StreamData sent over AudioIPC to trigger a use-after-free in the Browser process. This could have led to a sandbox escape. This vulnerability was fixed in Firefox 136, Firefox ESR 115.21, Firefox ESR 128.8, Thunderbird 136, and Thunderbird 128.8.
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
0.3%
percentile 56.9%
Affected tracked apps
Vulnerable CPE configurations
| Vendor | Product | Platform | Versions | CPE 2.3 URI |
|---|---|---|---|---|
| mozilla | thunderbird | Windows | <128.8 | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* |
| mozilla | thunderbird | Windows | >1.28.8 <136.0 | cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* |