Mozilla has released Firefox 139, addressing a critical vulnerability in the libvpx video codec encoder that could lead to memory corruption and potentially allow remote code execution.
While Chrome patched the same underlying flaw in its latest release, Google assessed it as medium severity, revealing an interesting divergence in risk evaluation between the two major browsers.
The critical flaw was discovered by Randell Jesup, a long-time WebRTC developer at Mozilla. The vulnerability arises from a double-free condition in vpx_codec_enc_init_multi, which is part of the libvpx encoder used for WebRTC video handling. Specifically, after a failed memory allocation during encoder initialization, the function could free the same memory block twice, corrupting the heap and triggering crashes or potentially enabling arbitrary code execution.
According to Mozilla’s security bulletin, the issue affects only Firefox and is fixed in version 139. The libvpx library, maintained by the WebM Project and widely used across browsers, powers VP8 and VP9 video encoding and decoding, particularly in real-time communications like WebRTC. The vulnerability’s potential for exploitation stems from its placement in the WebRTC pipeline, which processes real-time media streams from external sources, making it a viable target for remote attackers.
Google, for its part, patched the identical underlying bug as CVE-2025-5283 in Chrome 137 but rated it as medium severity. This discrepancy likely stems from the differing ways each browser integrates libvpx: Mozilla’s WebRTC stack may expose the encoder to more attacker-controlled input compared to Chrome’s architecture, or the sandboxing and memory protections in Chrome may reduce the real-world impact even if the core bug is present.
The libvpx issue was just one of several security fixes rolled out in Firefox 139. Mozilla’s advisory also lists moderate-severity bugs, including cross-origin script leaks (CVE-2025-5266), local code execution through the “Copy as cURL” feature (CVE-2025-5264, CVE-2025-5265), and various memory safety issues found by Mozilla’s fuzzing team. As a widely used, open-source browser with over 200 million users, Firefox’s role in the browser ecosystem makes timely patching of such critical flaws especially important.
For end users, the best defense is to update Firefox immediately to version 139. Updates are typically delivered automatically, but users can trigger manual checks through the browser’s “About Firefox” dialog. Enterprises managing Firefox deployments should prioritize this update given the critical rating, especially if WebRTC features are in active use.
On the Chrome side, while Google assessed the libvpx issue as medium severity, the patch is already included in the stable release (Chrome 137). Chrome users should ensure auto-updates are enabled and consider restarting the browser to apply the latest security fixes.
Leave a Reply