{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14860", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2025-12-18T00:22:09.553Z", "datePublished": "2025-12-18T14:21:13.483Z", "dateUpdated": "2026-04-13T14:30:31.682Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "146.0.1", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1."}]}], "title": "Use-after-free in the Disability Access APIs component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2000597"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-98/"}], "credits": [{"lang": "en", "value": "Irvan Kurniawan"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:31.682Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-12-19T20:34:43.446809Z", "id": "CVE-2025-14860", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T20:35:53.096Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-14860", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-19T20:34:43.446809Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-19T20:35:27.943Z"}}], "cna": {"title": "Use-after-free in the Disability Access APIs component", "credits": [{"lang": "en", "value": "Irvan Kurniawan"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "146.0.1", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2000597"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2025-98/"}], "descriptions": [{"lang": "en", "value": "Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.", "supportingMedia": [{"type": "text/html", "value": "Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T14:30:31.682Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14860", "state": "PUBLISHED", "dateUpdated": "2026-04-13T14:30:31.682Z", "dateReserved": "2025-12-18T00:22:09.553Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2025-12-18T14:21:13.483Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "A4308430-B3C6-4451-8A1B-BDD115E81819", "versionEndExcluding": "146.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 146.0.1."}], "id": "CVE-2025-14860", "lastModified": "2026-04-13T15:16:47.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2025-12-18T15:15:53.057", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2000597"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2025-98/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T18:53:41.222437+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 146.0.1 or later to patch the CWE\u2011416 Use\u2011After\u2011Free flaw in the Disability Access APIs.", "Temporarily disable the Disability Access feature (e.g., set the accessibility behaviour preference to off) until the patch is applied.", "Enable automatic Firefox updates to receive future security patches promptly."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox versions earlier than 146.0.1 are affected. The problem originates in the Disability Access APIs component that provides accessibility features for users with disabilities.", "description_and_impact": "This vulnerability is a use\u2011after\u2011free flaw (CWE\u2011416) in Firefox\u2019s Disability Access APIs. The bug permits an attacker to access memory that has already been freed, which can lead to arbitrary code execution or a targeted crash. The flaw has a high severity with a CVSS score of 9.8 and is identified as a serious risk for any affected versions.", "risk_and_exploitability": "The CVSS score of 9.8 indicates high risk; however, the EPSS score of less than 1% signals that the likelihood of exploitation is currently low. The flaw is not listed in the CISA KEV catalog, so no active exploitation has been reported. Attackers would need to lure a user to a page that exercises the vulnerable accessibility APIs, which likely requires malicious JavaScript or a crafted web page."}}}}, "created": "2025-12-19T09:16:13.394011+00:00", "updated": "2026-04-20T19:00:10.688536+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}