Mozilla released Firefox ESR 140.6 to address several high and moderate impact security vulnerabilities, including use-after-free, sandbox escape, privilege escalation, JIT miscompilation, and same-origin policy bypass issues. Notable vulnerabilities include CVE-2025-14321 (use-after-free in WebRTC: Signaling), CVE-2025-14322 (sandbox escape in Graphics: CanvasWebGL), and multiple privilege escalation flaws in the DOM: Notifications and Netmonitor components. Several JIT miscompilation bugs in the JavaScript Engine were also patched, which could potentially allow attackers to execute arbitrary code.
Additionally, memory safety bugs affecting previous versions of Firefox ESR, Thunderbird, and Firefox were resolved, with some showing evidence of memory corruption that could be exploited. Mozilla recommends updating to Firefox ESR 140.6 to mitigate these risks and ensure systems are protected against these vulnerabilities.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Mozilla published advisory MFSA 2025-94 for Firefox ESR 140.6, disclosing that security vulnerabilities were fixed in the release. The two references describe the same advisory and represent a single event.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.