AI security firm AISLE said it discovered a serious flaw in the Firefox web browser that went unnoticed for about six months and could have allowed attackers to run arbitrary instructions on users’ computers, potentially affecting more than 180 million users.
The flaw, tracked as CVE-2025-13016, involved a stack buffer overflow in a component of Firefox that handles WebAssembly, a fast-running code format used by games and complex web applications. The error occurred within the browser’s Garbage Collection (GC) memory feature.
AISLE said the issue stemmed from a single line of incorrect math involving memory pointers that caused too much data to be written into a temporary buffer, corrupting adjacent memory. The company identified two specific failures: the code copied twice the intended amount of data and it copied from the wrong memory location, which could allow an attacker to hijack program flow and execute arbitrary code.
The vulnerable code was introduced on April 7, 2025, and affected multiple releases, including Firefox 143 through early 145 and ESR versions before 140.5. The defect was discovered on Oct. 2, 2025 by AISLE researcher Igor Morgenstern, reported to Mozilla, confirmed on Oct. 14 and fixed the following day, according to the company’s blog post.
Mozilla rated the issue as High severity with a CVSS score of 7.5 and published a security advisory. Exploitation would require a user to visit a malicious webpage at a specific moment, such as under high memory pressure. The flaw affected Windows, macOS, Linux and Android, and the fix is available in Firefox 145 and Firefox ESR 140.5 and later; major Linux distributions deployed updates quickly, with Arch Linux updating within 24 hours.
The report did not state whether the vulnerability had been exploited in the wild. Users are advised to update Firefox to the latest available version; Mozilla’s security advisory is published here.