Mozilla released Firefox 146, addressing a series of high-impact security vulnerabilities, including several use-after-free flaws, privilege escalation issues, and a sandbox escape. Notable vulnerabilities include CVE-2025-14321 (use-after-free in WebRTC: Signaling), CVE-2025-14322 (sandbox escape in Graphics: CanvasWebGL), and multiple privilege escalation bugs in components such as DOM: Notifications and Netmonitor. Several JIT miscompilation vulnerabilities in the JavaScript Engine were also patched, along with a same-origin policy bypass and spoofing issue in the Downloads Panel.
The update also resolves memory safety bugs affecting both Firefox and Thunderbird, some of which could potentially be exploited for remote code execution. Mozilla rates the overall impact of these vulnerabilities as high, urging users to update to Firefox 146 promptly to mitigate risk. The advisories provide CVE identifiers and reference associated bug reports for further technical details.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
1 event from the most recent confirmed update back to the earliest known activity.
Mozilla released security advisory MFSA 2025-92 covering security vulnerabilities fixed in Firefox 146. The two references describe the same advisory publication event.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.