CVE-2026-2772

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Use-after-free in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and remediation of flaws like this use-after-free vulnerability through patching to updated Firefox and Thunderbird versions.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms such as ASLR and DEP that mitigate exploitation of use-after-free errors in the audio/video playback component.

SC-39 Process Isolation partial match

prevent

Provides process isolation via browser sandboxing to limit the impact of arbitrary code execution from the use-after-free vulnerability.

Security SummaryAI

CVE-2026-2772 is a use-after-free vulnerability (CWE-416) in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 148, Firefox ESR prior to 115.33 and 140.8, and Thunderbird prior to 148 and 140.8. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact across confidentiality, integrity, and availability.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation could allow the attacker to achieve high-impact effects, including arbitrary code execution, data corruption, or denial of service on the affected browser or email client.

Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry detail the fix applied in the listed versions. Mitigation involves updating to Firefox 148, Firefox ESR 115.33 or 140.8, Thunderbird 148, or Thunderbird 140.8 as soon as possible to address the use-after-free issue in the playback component.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.33.0 · ≤ 148.0 · 128.0 — 140.8.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free RCE in browser/email client media playback enables remote arbitrary code execution (no UI required), directly mapping to drive-by compromise via malicious web content and exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014827
Issue Tracking, Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-14/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org