Vulnerability-Lookup

alsa-2026:5932

Vulnerability from osv_almalinux

Published

2026-03-26 00:00

Modified

2026-03-30 10:46

Summary

Important: firefox security update

Details

Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.

Security Fix(es):

firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-4701)
firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4721)
firefox: thunderbird: Privilege escalation in the Netmonitor component (CVE-2026-4717)
firefox: thunderbird: Sandbox escape due to use-after-free in the Disability Access APIs component (CVE-2026-4688)
firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4706)
firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4695)
firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4689)
firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-4698)
firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component (CVE-2026-4716)
firefox: thunderbird: Race condition, use-after-free in the Graphics: WebRender component (CVE-2026-4684)
firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4705)
firefox: thunderbird: Uninitialized memory in the Graphics: Canvas2D component (CVE-2026-4715)
firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4685)
firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4714)
firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-4709)
firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4710)
firefox: thunderbird: Information disclosure in the Widget: Cocoa component (CVE-2026-4712)
firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4697)
firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4713)
firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4690)
firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-4711)
firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4686)
firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4708)
firefox: thunderbird: Use-after-free in the CSS Parsing and Computation component (CVE-2026-4691)
firefox: thunderbird: Incorrect boundary conditions in the Layout: Text and Fonts component (CVE-2026-4699)
firefox: thunderbird: Use-after-free in the Layout: Text and Fonts component (CVE-2026-4696)
firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Playback component (CVE-2026-4693)
firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4718)
firefox: thunderbird: JIT miscompilation in the JavaScript Engine component (CVE-2026-4702)
firefox: thunderbird: Incorrect boundary conditions in the Graphics: Text component (CVE-2026-4719)
firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics component (CVE-2026-4694)
firefox: thunderbird: Sandbox escape in the Responsive Design Mode component (CVE-2026-4692)
firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4720)
firefox: thunderbird: Mitigation bypass in the Networking: HTTP component (CVE-2026-4700)
firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4707)
firefox: thunderbird: Denial-of-service in the WebRTC: Signaling component (CVE-2026-4704)
firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Telemetry component (CVE-2026-4687)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2026:5932	ADVISORY
	https://access.redhat.com/security/cve/CVE-2026-4684	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4685	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4686	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4687	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4688	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4689	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4690	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4691	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4692	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4693	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4694	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4695	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4696	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4697	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4698	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4699	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4700	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4701	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4702	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4704	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4705	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4706	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4707	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4708	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4709	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4710	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4711	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4712	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4713	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4714	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4715	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4716	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4717	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4718	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4719	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4720	REPORT
	https://access.redhat.com/security/cve/CVE-2026-4721	REPORT
	https://bugzilla.redhat.com/2450710	REPORT
	https://bugzilla.redhat.com/2450711	REPORT
	https://bugzilla.redhat.com/2450712	REPORT
	https://bugzilla.redhat.com/2450713	REPORT
	https://bugzilla.redhat.com/2450714	REPORT
	https://bugzilla.redhat.com/2450715	REPORT
	https://bugzilla.redhat.com/2450718	REPORT
	https://bugzilla.redhat.com/2450719	REPORT
	https://bugzilla.redhat.com/2450720	REPORT
	https://bugzilla.redhat.com/2450721	REPORT
	https://bugzilla.redhat.com/2450722	REPORT
	https://bugzilla.redhat.com/2450723	REPORT
	https://bugzilla.redhat.com/2450724	REPORT
	https://bugzilla.redhat.com/2450725	REPORT
	https://bugzilla.redhat.com/2450726	REPORT
	https://bugzilla.redhat.com/2450727	REPORT
	https://bugzilla.redhat.com/2450728	REPORT
	https://bugzilla.redhat.com/2450729	REPORT
	https://bugzilla.redhat.com/2450730	REPORT
	https://bugzilla.redhat.com/2450732	REPORT
	https://bugzilla.redhat.com/2450733	REPORT
	https://bugzilla.redhat.com/2450734	REPORT
	https://bugzilla.redhat.com/2450735	REPORT
	https://bugzilla.redhat.com/2450738	REPORT
	https://bugzilla.redhat.com/2450739	REPORT
	https://bugzilla.redhat.com/2450740	REPORT
	https://bugzilla.redhat.com/2450741	REPORT
	https://bugzilla.redhat.com/2450742	REPORT
	https://bugzilla.redhat.com/2450744	REPORT
	https://bugzilla.redhat.com/2450746	REPORT
	https://bugzilla.redhat.com/2450747	REPORT
	https://bugzilla.redhat.com/2450748	REPORT
	https://bugzilla.redhat.com/2450751	REPORT
	https://bugzilla.redhat.com/2450752	REPORT
	https://bugzilla.redhat.com/2450755	REPORT
	https://bugzilla.redhat.com/2450756	REPORT
	https://bugzilla.redhat.com/2450757	REPORT
	https://errata.almalinux.org/8/ALSA-2026-5932.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "firefox"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "140.9.0-1.el8_10.alma.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability.  \n\nSecurity Fix(es):  \n\n  * firefox: thunderbird: Use-after-free in the JavaScript Engine component (CVE-2026-4701)\n  * firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4721)\n  * firefox: thunderbird: Privilege escalation in the Netmonitor component (CVE-2026-4717)\n  * firefox: thunderbird: Sandbox escape due to use-after-free in the Disability Access APIs component (CVE-2026-4688)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4706)\n  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4695)\n  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4689)\n  * firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component (CVE-2026-4698)\n  * firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component (CVE-2026-4716)\n  * firefox: thunderbird: Race condition, use-after-free in the Graphics: WebRender component (CVE-2026-4684)\n  * firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4705)\n  * firefox: thunderbird: Uninitialized memory in the Graphics: Canvas2D component (CVE-2026-4715)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4685)\n  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4714)\n  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: GMP component (CVE-2026-4709)\n  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video component (CVE-2026-4710)\n  * firefox: thunderbird: Information disclosure in the Widget: Cocoa component (CVE-2026-4712)\n  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Web Codecs component (CVE-2026-4697)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4713)\n  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component (CVE-2026-4690)\n  * firefox: thunderbird: Use-after-free in the Widget: Cocoa component (CVE-2026-4711)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4686)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics component (CVE-2026-4708)\n  * firefox: thunderbird: Use-after-free in the CSS Parsing and Computation component (CVE-2026-4691)\n  * firefox: thunderbird: Incorrect boundary conditions in the Layout: Text and Fonts component (CVE-2026-4699)\n  * firefox: thunderbird: Use-after-free in the Layout: Text and Fonts component (CVE-2026-4696)\n  * firefox: thunderbird: Incorrect boundary conditions in the Audio/Video: Playback component (CVE-2026-4693)\n  * firefox: thunderbird: Undefined behavior in the WebRTC: Signaling component (CVE-2026-4718)\n  * firefox: thunderbird: JIT miscompilation in the JavaScript Engine component (CVE-2026-4702)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Text component (CVE-2026-4719)\n  * firefox: thunderbird: Incorrect boundary conditions, integer overflow in the Graphics component (CVE-2026-4694)\n  * firefox: thunderbird: Sandbox escape in the Responsive Design Mode component (CVE-2026-4692)\n  * firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149 (CVE-2026-4720)\n  * firefox: thunderbird: Mitigation bypass in the Networking: HTTP component (CVE-2026-4700)\n  * firefox: thunderbird: Incorrect boundary conditions in the Graphics: Canvas2D component (CVE-2026-4707)\n  * firefox: thunderbird: Denial-of-service in the WebRTC: Signaling component (CVE-2026-4704)\n  * firefox: thunderbird: Sandbox escape due to incorrect boundary conditions in the Telemetry component (CVE-2026-4687)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2026:5932",
  "modified": "2026-03-30T10:46:04Z",
  "published": "2026-03-26T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2026:5932"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4684"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4685"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4686"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4687"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4688"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4689"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4690"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4691"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4692"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4693"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4694"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4695"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4696"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4697"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4698"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4699"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4700"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4701"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4702"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4704"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4705"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4706"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4707"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4708"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4709"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4710"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4711"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4712"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4713"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4714"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4715"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4716"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4717"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4718"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4719"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4720"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2026-4721"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450710"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450711"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450712"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450713"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450714"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450715"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450718"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450719"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450720"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450721"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450722"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450723"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450724"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450725"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450726"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450727"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450728"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450729"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450730"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450732"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450733"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450734"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450735"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450738"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450739"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450740"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450741"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450742"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450744"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450746"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450747"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450748"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450751"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450752"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450755"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450756"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2450757"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2026-5932.html"
    }
  ],
  "related": [
    "CVE-2026-4701",
    "CVE-2026-4721",
    "CVE-2026-4717",
    "CVE-2026-4688",
    "CVE-2026-4706",
    "CVE-2026-4695",
    "CVE-2026-4689",
    "CVE-2026-4698",
    "CVE-2026-4716",
    "CVE-2026-4684",
    "CVE-2026-4705",
    "CVE-2026-4715",
    "CVE-2026-4685",
    "CVE-2026-4714",
    "CVE-2026-4709",
    "CVE-2026-4710",
    "CVE-2026-4712",
    "CVE-2026-4697",
    "CVE-2026-4713",
    "CVE-2026-4690",
    "CVE-2026-4711",
    "CVE-2026-4686",
    "CVE-2026-4708",
    "CVE-2026-4691",
    "CVE-2026-4699",
    "CVE-2026-4696",
    "CVE-2026-4693",
    "CVE-2026-4718",
    "CVE-2026-4702",
    "CVE-2026-4719",
    "CVE-2026-4694",
    "CVE-2026-4692",
    "CVE-2026-4720",
    "CVE-2026-4700",
    "CVE-2026-4707",
    "CVE-2026-4704",
    "CVE-2026-4687"
  ],
  "summary": "Important: firefox security update"
}

CVE-2026-4684 (GCVE-0-2026-4684)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-04-13 13:46

Title

Race condition, use-after-free in the Graphics: WebRender component

Summary

Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free
CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2011129
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Oskar L

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4684",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-362",
                "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T03:55:48.183Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Oskar L"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:46:22.818Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2011129"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Race condition, use-after-free in the Graphics: WebRender component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4684",
    "datePublished": "2026-03-24T12:30:20.420Z",
    "dateReserved": "2026-03-23T23:21:29.581Z",
    "dateUpdated": "2026-04-13T13:46:22.818Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4685 (GCVE-0-2026-4685)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-05-07 14:49

Title

Incorrect boundary conditions in the Graphics: Canvas2D component

Summary

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2016349
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4685",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T12:43:23.356262Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-754",
                "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T14:49:55.459Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:47:24.448Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016349"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Incorrect boundary conditions in the Graphics: Canvas2D component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4685",
    "datePublished": "2026-03-24T12:30:21.064Z",
    "dateReserved": "2026-03-23T23:21:31.793Z",
    "dateUpdated": "2026-05-07T14:49:55.459Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4686 (GCVE-0-2026-4686)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-05-07 14:50

Title

Incorrect boundary conditions in the Graphics: Canvas2D component

Summary

Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2016351
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4686",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T12:44:29.643481Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-754",
                "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T14:50:23.927Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:30.630Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016351"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Incorrect boundary conditions in the Graphics: Canvas2D component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4686",
    "datePublished": "2026-03-24T12:30:21.639Z",
    "dateReserved": "2026-03-23T23:21:33.801Z",
    "dateUpdated": "2026-05-07T14:50:23.927Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4687 (GCVE-0-2026-4687)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-04-13 13:48

Title

Sandbox escape due to incorrect boundary conditions in the Telemetry component

Summary

Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2016368
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4687",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:55:57.976646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:06:49.307Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:33.096Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016368"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Sandbox escape due to incorrect boundary conditions in the Telemetry component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4687",
    "datePublished": "2026-03-24T12:30:22.179Z",
    "dateReserved": "2026-03-23T23:21:35.819Z",
    "dateUpdated": "2026-04-13T13:48:33.096Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4688 (GCVE-0-2026-4688)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-04-13 13:48

Title

Sandbox escape due to use-after-free in the Disability Access APIs component

Summary

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

mozilla

References

5 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2016373
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4688",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:55:59.035622Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:08:27.170Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:35.360Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016373"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Sandbox escape due to use-after-free in the Disability Access APIs component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4688",
    "datePublished": "2026-03-24T12:30:22.710Z",
    "dateReserved": "2026-03-23T23:21:37.949Z",
    "dateUpdated": "2026-04-13T13:48:35.360Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4689 (GCVE-0-2026-4689)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-04-13 13:48

Title

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component

Summary

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

10 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-190 - Integer Overflow or Wraparound

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2016374
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 10,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4689",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:56:00.258280Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:05:39.137Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:38.103Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016374"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4689",
    "datePublished": "2026-03-24T12:30:23.260Z",
    "dateReserved": "2026-03-23T23:21:39.901Z",
    "dateUpdated": "2026-04-13T13:48:38.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4690 (GCVE-0-2026-4690)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-04-13 13:48

Title

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component

Summary

Severity ?

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2016375
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4690",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:56:01.292493Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          },
          {
            "descriptions": [
              {
                "cweId": "CWE-120",
                "description": "CWE-120 Buffer Copy without Checking Size of Input (\u0027Classic Buffer Overflow\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:07:54.846Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:40.559Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016375"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4690",
    "datePublished": "2026-03-24T12:30:23.812Z",
    "dateReserved": "2026-03-23T23:21:42.156Z",
    "dateUpdated": "2026-04-13T13:48:40.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4691 (GCVE-0-2026-4691)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-05-07 14:50

Title

Use-after-free in the CSS Parsing and Computation component

Summary

Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2017512
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Fabius Artrel

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4691",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T12:49:03.878448Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T14:50:45.605Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Fabius Artrel"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:42.999Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2017512"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Use-after-free in the CSS Parsing and Computation component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4691",
    "datePublished": "2026-03-24T12:30:24.376Z",
    "dateReserved": "2026-03-23T23:21:44.154Z",
    "dateUpdated": "2026-05-07T14:50:45.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4692 (GCVE-0-2026-4692)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-04-13 13:48

Title

Sandbox escape in the Responsive Design Mode component

Summary

Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-noinfo Not enough information

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2017643
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Tom Ritter

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.6,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "CHANGED",
              "userInteraction": "REQUIRED",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4692",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T03:55:56.912626Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T14:07:21.962Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Tom Ritter"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:45.652Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2017643"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Sandbox escape in the Responsive Design Mode component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4692",
    "datePublished": "2026-03-24T12:30:24.864Z",
    "dateReserved": "2026-03-23T23:21:46.185Z",
    "dateUpdated": "2026-04-13T13:48:45.652Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-4693 (GCVE-0-2026-4693)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:30 – Updated: 2026-05-07 14:51

Title

Incorrect boundary conditions in the Audio/Video: Playback component

Summary

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

mozilla

References

6 references

URL	Tags
https://bugzilla.mozilla.org/show_bug.cgi?id=2018102
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…
https://www.mozilla.org/security/advisories/mfsa2…

Impacted products

2 products

Vendor	Product	Version
Mozilla	Firefox	Unaffected: 115.34 , ≤ 115.* (rpm) Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)
Mozilla	Thunderbird	Unaffected: 140.9 , ≤ 140.* (rpm) Unaffected: 149 , ≤ * (rpm)

Credits

Sajeeb Lohani

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-4693",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-26T12:50:23.383438Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-754",
                "description": "CWE-754 Improper Check for Unusual or Exceptional Conditions",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-07T14:51:09.853Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Firefox",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "115.*",
              "status": "unaffected",
              "version": "115.34",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        },
        {
          "product": "Thunderbird",
          "vendor": "Mozilla",
          "versions": [
            {
              "lessThanOrEqual": "140.*",
              "status": "unaffected",
              "version": "140.9",
              "versionType": "rpm"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "149",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Sajeeb Lohani"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
            }
          ],
          "value": "Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-13T13:48:48.659Z",
        "orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
        "shortName": "mozilla"
      },
      "references": [
        {
          "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018102"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-21/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"
        },
        {
          "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"
        }
      ],
      "title": "Incorrect boundary conditions in the Audio/Video: Playback component"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe",
    "assignerShortName": "mozilla",
    "cveId": "CVE-2026-4693",
    "datePublished": "2026-03-24T12:30:25.391Z",
    "dateReserved": "2026-03-23T23:21:48.963Z",
    "dateUpdated": "2026-05-07T14:51:09.853Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

alsa-2026:5932

Vulnerability from osv_almalinux

CVE-2026-4684 (GCVE-0-2026-4684)

CVE-2026-4685 (GCVE-0-2026-4685)

CVE-2026-4686 (GCVE-0-2026-4686)

CVE-2026-4687 (GCVE-0-2026-4687)

CVE-2026-4688 (GCVE-0-2026-4688)

CVE-2026-4689 (GCVE-0-2026-4689)

CVE-2026-4690 (GCVE-0-2026-4690)

CVE-2026-4691 (GCVE-0-2026-4691)

CVE-2026-4692 (GCVE-0-2026-4692)

CVE-2026-4693 (GCVE-0-2026-4693)

Tags

Sightings

Nomenclature