Vulnerability Management, Patch/Configuration Management

Newly discovered Firefox zero-days addressed

Updates have been released by Mozilla to resolve a pair of critical out-of-bounds access flaws impacting the Firefox browser, which have been abused as zero-days at last week's Pwn2Own Berlin hacking contest, resulting in bounties of $50,000 each for Palo Alto Networks' Edouard Bochin and Tao Yan, as well as security researcher Manfred Paul, according to The Hacker News.

Exploitation of the vulnerabilities, tracked as CVE-2025-4918 and CVE-2025-4919, could facilitate out-of-bounds read or write that could subsequently be leveraged to compromise sensitive data or trigger memory corruption-based code execution. Impacted by the security defects were all versions of Firefox earlier than 138.0.4, as well as all Firefox Extended Support Release versions before 128.10.1 and before 115.23.1. "Neither of the attacks managed to break out of our sandbox, which is required to gain control over the user's system. Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible," said Mozilla.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds