CVE-2026-2769

High

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Use-after-free in the Storage: IndexedDB component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and patching of flaws like the use-after-free in Firefox's IndexedDB component, directly aligning with Mozilla's upgrade recommendation to fixed versions.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and stack canaries that mitigate use-after-free vulnerabilities by preventing unauthorized code execution in the browser's sandboxed IndexedDB process.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables scanning of endpoints to identify systems running vulnerable Firefox or Thunderbird versions affected by CVE-2026-2769 prior to exploitation.

Security SummaryAI

CVE-2026-2769 is a use-after-free vulnerability (CWE-416) in the Storage: IndexedDB component of Mozilla Firefox and Thunderbird products. It affects versions prior to the fixed releases, including Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

The vulnerability can be exploited by a remote attacker with no privileges required, via low-complexity attacks that necessitate user interaction, such as visiting a malicious webpage. Successful exploitation could allow arbitrary code execution within the browser sandbox, data theft from IndexedDB storage, or denial-of-service through crashes, potentially compromising user data or enabling further attacks if chained with sandbox escapes.

Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry detail the patch deployments in the listed versions, recommending immediate upgrades to mitigate the issue. No workarounds are specified beyond applying the updates.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.33.0 · ≤ 148.0 · 128.0 — 140.8.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free in browser IndexedDB enables drive-by compromise via malicious webpage (T1189) and direct exploitation for client-side arbitrary code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014550
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-14/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org