First published 13 November 2025
CVSS:3.1: n/a (High)
CVSS:3.1 Vector n/a
Summary
Several security vulnerabilities have been found in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:
-
IGEL OS 12
-
IGEL OS 11
Details
A race condition has been found in the Firefox ESR Graphics component (CVE-2025-13012, high) and incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016, high). Apart from these vulnerabilities, a use-after-free issue affects MediaTrackGraphImpl::GetInstance (CVE-2025-11708, high), and manipulated WebGL textures can trigger out-of-bounds reads and writes in a more privileged process (CVE-2025-11709, high).
Further issues: Cross-process information can be leaked due to malicious IPC messages (CVE-2025-11710, high), and there is a way to change the value of JavaScript object properties that are supposed to be non-writeable (CVE-2025-11711, high).
Finally, CVE-2025-11714 and CVE-2025-11715 track memory corruption bugs that could be exploited to run arbitrary code (both high).
Update Instructions
-
OS 12: Update to the Firefox ESR app in version 140.5 or newer when available from the IGEL App Portal.
-
OS 11: IGEL is preparing an OS 11 release with the fixed Firefox ESR version.
References
-
Mozilla Foundation Security Advisory 2025-88: Mozilla Foundation Security Advisory 2025-88 Security Vulnerabilities fixed in Firefox ESR 140.5
-
Mozilla Foundation Security Advisory 2025-83: Mozilla Foundation Security Advisory 2025-83 Security Vulnerabilities fixed in Firefox ESR 140.4