CVE-2026-2774
Published: 24 February 2026
Description
Integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of the integer overflow vulnerability in Firefox and Thunderbird Audio/Video components to prevent remote arbitrary code execution.
Enables periodic vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird prior to patching.
Ensures timely awareness and dissemination of Mozilla security advisories (MFSA 2026-13) detailing the CVE for prioritized remediation.
Security SummaryAI
CVE-2026-2774 is an integer overflow vulnerability (CWE-190) in the Audio/Video component of Mozilla Firefox and Thunderbird products. It affects versions of Firefox prior to 148, Firefox ESR prior to 115.33 and 140.8, and Thunderbird prior to 148 and 140.8. The vulnerability was publicly disclosed on 2026-02-24 and carries a CVSS v3.1 base score of 9.8, indicating critical severity.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution within the browser or application sandbox.
Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry (bug 2014883) detail the fix applied in the listed versions. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to the patched releases to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer overflow RCE in browser/email client AV component enables drive-by compromise (T1189) via malicious media and direct exploitation for client execution (T1203) with no user interaction required.