Security updates for Chrome, Firefox and Thunderbird
Updates close security gaps, some of them critical, in Google's Chrome and Mozilla's Firefox and Thunderbird.
(Image: heise online / dmk)
The developers of Chrome, Firefox and Thunderbird released updates on Wednesday night that close security vulnerabilities in the programs, some of which are critical. Users should ensure that they are using the updated version.
A security vulnerability in all supported Firefox and Thunderbird versions is particularly serious. Double freeing of resources in the libvpx encoder in the vpx_codec_enc_init_multi function after an incorrect allocation when initializing the encoder for WebRTC can lead to memory corruption and a potentially abusable crash. The Mozilla developers even classify the vulnerability as “critical”, as they write in the Firefox 139 security release.
They even initially created a separate CVE vulnerability entry for it (CVE-2025-5262), but withdrew it again as a CVE Numbering Authority (CNA) besides Mozilla was responsible for it. The CISA had already proposed a CVSS calculation and arrived at a CVSS score of 7.5, which, in contrast to the Mozilla classification, means the risk is “high”. If the responsible CNA has created a CVE entry, the Mozilla developers want to reference it.
Various programs affected
The vulnerability closes the now newly available versions Firefox 139, Firefox ESR 128.11, Firefox ESR 115.24 and also the mail program Thunderbird 139 and 128.11. Anyone using these should quickly call up the version dialog of the software, which can usually be found in the settings menu via the icon at the top right next to the address bar and then under “Help” – “About <program name>”. This shows the current version and offers to update it if necessary.
Videos by heise
Google has also released updated versions of the Chrome web browser. They closed a total of eight security vulnerabilities, of which the programmers have classified two as high risk, five as medium risk and one as low risk. The high-risk vulnerabilities include access to resources that have already been released (use after free) in compositing, which attackers can often misuse to inject malicious code. In addition, write access outside the intended memory limits in the JavaScript engine V8 can have a similar effect.
Anyone using Chrome should therefore check that the version is already at 137.0.7151.51 for iOS, 137.0.7151.55 for Linux and 137.0.7151.55/56 for macOS and Windows.
Two weeks ago, Google's developers patched a security vulnerability in Chrome, for which an exploit was already circulating on the web.
(dmk)
