CVE-2026-2765
Published: 24 February 2026
Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of flaws through patching, addressing the use-after-free vulnerability fixed in updated Firefox and Thunderbird versions.
Implements memory protection techniques like ASLR and DEP that mitigate exploitation of use-after-free vulnerabilities in the JavaScript engine.
Enforces process isolation via browser sandboxing to contain the impact of JavaScript engine exploits and prevent escalation to system compromise.
Security SummaryAI
CVE-2026-2765 is a use-after-free vulnerability (CWE-416) in the JavaScript Engine component of Mozilla products, published on 2026-02-24. It affects Firefox versions prior to 148, Firefox ESR prior to 140.8, Thunderbird prior to 148, and Thunderbird prior to 140.8, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no user privileges or interaction. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution within the browser or application context.
Mozilla security advisories (MFSA2026-13, MFSA2026-15, MFSA2026-16, and MFSA2026-17) and Bugzilla entry 2013562 detail the fix applied in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. Mitigation requires updating affected products to these versions or later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in JS engine enables remote arbitrary code execution in browser/app context (no auth/interaction required), directly facilitating client-side exploitation.