Vulnerability CVE-2025-12380: Information

Description

Starting with Firefox 142, it was possible for a compromised child process to trigger a use-after-free in the GPU or browser process using WebGPU-related IPC calls. This may have been usable to escape the child process sandbox. This vulnerability affects Firefox < 144.0.2.

Severity: CRITICAL (9.8)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
URL: https://nvd.nist.gov/vuln/detail/CVE-2025-12380
Published: Oct. 28, 2025
Modified: Oct. 30, 2025
Error type identifier: CWE-416

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
firefoxsisyphus144.0.2-alt1144.0.2-alt1ALT-PU-2025-13730-2398651Fixed
firefoxsisyphus_riscv64144.0.2-alt0.port144.0.2-alt0.portALT-PU-2025-14063-1-Fixed
firefoxsisyphus_loongarch64144.0.2-alt0.port144.0.2-alt0.portALT-PU-2025-13897-1-Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1993113
    https://www.mozilla.org/security/advisories/mfsa2025-86/
      VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
      Version: v25.10.0
      Back to top