CVE-2026-2777
Published: 24 February 2026
Description
Privilege escalation in the Messaging System component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation of the privilege escalation flaw through patching to the fixed Firefox and Thunderbird versions.
Mitigates improper privilege management (CWE-269) by enforcing least privilege, limiting the impact of successful escalation in the Messaging System component.
Identifies vulnerable versions of Firefox and Thunderbird via vulnerability scanning, enabling proactive patching before remote exploitation.
Security SummaryAI
CVE-2026-2777 is a privilege escalation vulnerability in the Messaging System component affecting Mozilla Firefox and Thunderbird products. It impacts versions of Firefox prior to 148, Firefox ESR prior to 115.33 and 140.8, and Thunderbird prior to 148 and 140.8. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management).
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low complexity and no user interaction required. Successful exploitation enables privilege escalation, resulting in high impacts to confidentiality, integrity, and availability.
Mozilla security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry detail the patch releases that address the issue, recommending immediate upgrades to Firefox 148, Firefox ESR 115.33 or 140.8, Thunderbird 148, or Thunderbird 140.8.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes remote unauthenticated privilege escalation via improper privilege management (CWE-269) in client software, directly matching T1068 Exploitation for Privilege Escalation.