CVE-2025-11708: 
NixOS vulnerability analysis and mitigation

CVE-2025-11708 is a high-impact use-after-free vulnerability discovered in the MediaTrackGraphImpl::GetInstance() function affecting multiple Mozilla products. The vulnerability was disclosed on October 14, 2025, and affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4 (Mozilla Advisory).

The vulnerability is characterized as a use-after-free condition specifically occurring in the MediaTrackGraphImpl::GetInstance() function. This type of vulnerability typically occurs when a program continues to use a pointer after it has been freed, which can lead to program crashes or potential code execution. The issue was discovered by security researcher Irvan Kurniawan and has been rated as having a high impact (Mozilla Advisory).

The vulnerability has been classified as high impact by Mozilla. In Thunderbird, while the risk is somewhat mitigated as scripting is disabled when reading mail, the vulnerability remains a potential risk in browser or browser-like contexts (Mozilla Advisory).

Mozilla has addressed this vulnerability in Firefox 144, Firefox ESR 140.4, Thunderbird 144, and Thunderbird ESR 140.4. Users are advised to update to these versions or later to mitigate the risk (Mozilla Advisory).