Full Report
Mozilla has rolled out an emergency Firefox 139.0.1 update after the Tuesday release caused graphical artifacts on PCs with NVIDIA GPUs. [...]
Analysis Summary
# Vulnerability: Graphics Corruption Artifacts in Firefox due to Nvidia GPU/Mixed Refresh Rate Interaction
## CVE Details
- CVE ID: Not explicitly provided in the context. (This appears to be a specific non-security patch addressing a rendering bug.)
- CVSS Score: Not applicable/Not provided (Issue appears to be rendering artifacting/UX degradation, not a direct security vulnerability).
- CWE: Not applicable/Not provided
## Affected Systems
- Products: Mozilla Firefox
- Versions: Firefox 139.0 (prior to 139.0.1 update)
- Configurations: Systems running Windows 10, utilizing NVIDIA GPUs, configured with multiple monitors running at mixed refresh rates (specifically when playing 60 FPS video content).
## Vulnerability Description
Firefox version 139 removed a blocklist that previously prevented the browser from using Windows DirectComposition (specifically using Surfaces rather than Swapchains) on mixed-refresh-rate NVIDIA setups. This change exposed a bug in the NVIDIA graphics driver interaction. When a user played 60 FPS video content while scrolling or hovering over content on a separate high-refresh monitor, the video buffer would leak into the other window, manifesting as flashing artifacts or corruption upon repainting. The issue did not occur with 30 FPS content as the frame timing aligned better with mixed refresh rates. Single-monitor setups and systems using AMD/Intel GPUs were not affected.
## Exploitation
- Status: Not applicable (This describes a functional/rendering bug, not a security exploit).
- Complexity: Not applicable
- Attack Vector: Not applicable
## Impact
- Confidentiality: No direct impact described.
- Integrity: Visual corruption and display artifacts. Potential minor impact on data presentation integrity due to buffer leakage.
- Availability: Negligible impact, primarily a user experience degradation.
## Remediation
### Patches
- Firefox 139.0.1: This update restores the blocklist that was removed in version 139. Mozilla noted this fix addresses "graphics corruption with certain NVIDIA graphics adapters and multiple monitors running at mixed refresh rates after updating to Firefox 139."
### Workarounds
- None explicitly required, as the patch resolves the issue. (In pre-139.0.1 versions, users could potentially avoid the issue by only running 30 FPS content or using a single monitor setup, but this is not an official mitigation.)
## Detection
- Indicators of Compromise: Flashing visual artifacts or corruption appearing when 60 FPS video is playing alongside activity (scrolling/hovering) on a secondary monitor with a different refresh rate, specifically on systems with NVIDIA GPUs.
- Detection methods and tools: Visual inspection of display output on affected systems.
## References
- Vendor Advisories: Mozilla Firefox 139.0.1 release notes
- Relevant links:
- hxxps://www.bleepingcomputer.com/news/software/mozilla-releases-firefox-13901-update-to-fix-artifacts-on-nvidia-gpus/
- hxxp://bugzilla.mozilla.org/show_bug.cgi?id=1968876
- hxxps://www.mozilla.org/en-US/firefox/139.0/releasenotes/