CVE-2026-2779

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of software flaws like the buffer overflow in Firefox/Thunderbird's Networking JAR component via vendor patches such as Firefox 148.

SI-16 Memory Protection good match

prevent

Implements memory safeguards like address space layout randomization and data execution prevention to block unauthorized code execution from buffer overflow exploits in the JAR component.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by the JAR boundary condition flaw.

Security SummaryAI

CVE-2026-2779 is a vulnerability involving incorrect boundary conditions in the Networking: JAR component of Mozilla Firefox and Thunderbird. It affects versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8, and is associated with CWE-119 (likely a buffer overflow due to improper bounds checking), as indicated by NVD-CWE-noinfo. The issue carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise, including unauthorized access to sensitive data (confidentiality), modification of system state (integrity), and disruption of services (availability).

Mozilla security advisories (MFSA 2026-13, 15, 16, and 17) and the associated Bugzilla entry detail the patch, recommending immediate updates to Firefox 148, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8 to mitigate the issue.

Details

CWE(s): NVD-CWE-noinfo CWE-119

Affected Products

mozilla

firefox

≤ 140.8.0 · ≤ 148.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Remote buffer overflow (CWE-119) in client-side Networking:JAR component of Firefox/Thunderbird enables arbitrary code execution with no user interaction, directly mapping to T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1164141
Issue Tracking, Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org