CRITICAL🇵🇱 Wersja polska

CVE-2026-4721

CVSS 9.8v3.1pub. 2026-03-24upd. 2026-06-30

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

🤖 AI Analysis
How it works

The vulnerability results from memory management errors present in the mentioned versions of Firefox and Thunderbird, classified as buffer overflow (CWE-120). Some of the identified errors showed evidence of actual memory corruption during analysis. According to Mozilla, with sufficient effort, some of these errors could be exploited to execute arbitrary code. The attack vector is network-based, requires no authentication or user interaction (AV:N/AC:L/PR:N/UI:N).

Impact

Successful exploitation of the vulnerability may enable an attacker to execute arbitrary code remotely (RCE) on the vulnerable system, leading to complete compromise of data confidentiality, integrity, and availability.

Mitigation & patch

Software must be updated to the following versions containing patches: Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, Thunderbird ESR 140.9. Patches are available through Mozilla's automatic update mechanism and on the manufacturer's official website (references: mfsa2026-20, mfsa2026-21, mfsa2026-22, mfsa2026-23).

Who is affected

Mozilla Firefox 148, Mozilla Firefox ESR 115.33, Mozilla Firefox ESR 140.8, Mozilla Thunderbird 148, Mozilla Thunderbird ESR 140.8

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.34.0< 149.0128.0 – 140.9.0 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.9.0< 149.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...