CRITICAL🇵🇱 Wersja polska

CVE-2026-2771

CVSS 9.8v3.1pub. 2026-02-24upd. 2026-06-30

Undefined behavior in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

🤖 AI Analysis
How it works

The vulnerability results from undefined behavior in the DOM (Document Object Model) processing engine responsible for handling core and HTML components. According to CWE-125 classification, the vulnerability may involve reading data outside the intended memory buffer. The attack vector is network (AV:N), requires no privileges (PR:N) or user interaction (UI:N), which means that simply visiting a maliciously crafted website or opening an appropriately prepared message may be sufficient to trigger the vulnerability.

Impact

An attacker can potentially obtain sensitive information from process memory, compromise data integrity, or cause loss of application availability. The full impact includes a high level of confidentiality, integrity, and availability breach (C:H/I:H/A:H).

Mitigation & patch

Update immediately to Mozilla Firefox 148, Firefox ESR 115.33 or Firefox ESR 140.8, and Mozilla Thunderbird 148 or Thunderbird 140.8, in which the vulnerability has been eliminated.

Who is affected

Mozilla Firefox versions before 148 and Firefox ESR before 115.33 and Firefox ESR 140.8; Mozilla Thunderbird versions before 148 and Thunderbird 140.8.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.33.0< 148.0128.0 – 140.8.0 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.8.0< 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...