ISN 2025-49 Firefox ESR Vulnerabilities

First published 13 November 2025

CVSS:3.1: n/a (High)

CVSS:3.1 Vector n/a

Summary

Several security vulnerabilities have been found in Firefox ESR, a web browser used in IGEL OS. This affects the following product versions:

• IGEL OS 12

• IGEL OS 11

Details

A race condition has been found in the Firefox ESR Graphics component (CVE-2025-13012, high) and incorrect boundary conditions in the JavaScript: WebAssembly component (CVE-2025-13016, high). Apart from these vulnerabilities, a use-after-free issue affects MediaTrackGraphImpl::GetInstance (CVE-2025-11708, high), and manipulated WebGL textures can trigger out-of-bounds reads and writes in a more privileged process (CVE-2025-11709, high).

Further issues: Cross-process information can be leaked due to malicious IPC messages (CVE-2025-11710, high), and there is a way to change the value of JavaScript object properties that are supposed to be non-writeable (CVE-2025-11711, high).

Finally, CVE-2025-11714 and CVE-2025-11715 track memory corruption bugs that could be exploited to run arbitrary code (both high).

Update Instructions

• OS 12: Update to the Firefox ESR app in version 140.5 or newer when available from the IGEL App Portal.

• OS 11: IGEL is preparing an OS 11 release with the fixed Firefox ESR version.

References

• Mozilla Foundation Security Advisory 2025-88: Mozilla Foundation Security Advisory 2025-88 Security Vulnerabilities fixed in Firefox ESR 140.5

• Mozilla Foundation Security Advisory 2025-83: Mozilla Foundation Security Advisory 2025-83 Security Vulnerabilities fixed in Firefox ESR 140.4