Mozilla Firefox and Thunderbird are vulnerable to a critical use-after-free flaw that could allow an attacker to execute arbitrary code on a user's system.

This is a use-after-free (UAF) vulnerability located within the CSS Parsing and Computation component. An unauthenticated attacker can trigger this memory corruption by inducing a user to process malicious CSS content, potentially leading to arbitrary code execution.

Exploitation of this vulnerability can result in full system compromise, as an attacker may gain the ability to execute code with the same privileges as the logged-in user. This poses a significant risk of data theft, malware installation, and unauthorized access to corporate resources. The CVSS score of 9.8 underscores the extreme severity and the low complexity required for a successful attack.

Immediate Action: Update all affected installations of Firefox and Thunderbird to the latest versions (149 or the relevant ESR/Thunderbird patches) immediately.

Proactive Monitoring: Security teams should monitor for unusual browser crashes or unexpected outbound network connections from client workstations.

Compensating Controls: Utilize endpoint detection and response (EDR) tools to identify and block common exploitation techniques, such as heap spraying or shellcode execution.

Public Exploit Available: No

Given the critical CVSS score of 9.8 and the potential for remote code execution, this vulnerability requires immediate attention. Organizations should prioritize the automated deployment of patches for all Mozilla-based applications to ensure client systems are protected against memory corruption exploits.