CVE-2026-2782
Published: 24 February 2026
Description
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of the privilege escalation flaw in Firefox and Thunderbird Netmonitor component to prevent remote exploitation.
Enforces least privilege to counter improper privilege management (CWE-269) and limit escalation impact in browser components.
Mandates enforcement of access control policies to block unauthorized privilege escalation within the Netmonitor component.
Security SummaryAI
CVE-2026-2782 is a privilege escalation vulnerability in the Netmonitor component, affecting Mozilla Firefox and Thunderbird prior to their respective fixed versions. The issue was addressed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity, and is associated with CWE-269 (Improper Privilege Management) alongside NVD-CWE-noinfo.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables high-impact outcomes, including unauthorized access to confidential data, modification of system integrity, and denial of service, through privilege escalation within the affected browser or email client components.
Mozilla's security advisories (MFSA2026-13, MFSA2026-15, MFSA2026-16, and MFSA2026-17) and Bugzilla entry 2010743 document the vulnerability and recommend updating to the patched versions—Firefox 148 or ESR 140.8, and Thunderbird 148 or 140.8—for mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a remote privilege escalation vulnerability (CWE-269) in client software with no auth/UI required, directly enabling T1068 Exploitation for Privilege Escalation.