Firefox Fixes Flaws That Risk Crashes, Code Execution

Mozilla patched two high-impact vulnerabilities in Firefox 139.0.4 that could lead to browser crashes or remote code execution. The flaws—CVE-2025-49709 and CVE-2025-49710—affect key components of the browser’s graphics rendering system and JavaScript engine.

The first, CVE-2025-49709, involves memory corruption triggered by specific canvas operations. Improper handling of canvas surfaces could compromise memory integrity, enabling denial-of-service conditions or arbitrary code execution. The second, CVE-2025-49710, is an integer overflow in the OrderedHashTable, a structure essential to JavaScript’s Map and Set objects. This bug could result in heap buffer overflows when users interact with malicious web content.

Both issues carry CVSS scores above 8.5, indicating high severity. Mozilla urges users to update immediately through Firefox’s built-in updater or the official website. Organizations are advised to deploy the patch across their systems to maintain security compliance and mitigate potential exploitation. Firefox 139.0.4 contains fixes that address both vulnerabilities without affecting performance or compatibility.