CVE-2026-2785

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 5.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of flaws such as this invalid pointer dereference in the JavaScript engine via vendor patches.

SI-16 Memory Protection partial match

prevent

Implements memory protection controls like address space layout randomization and data execution prevention to mitigate exploitation of invalid pointer vulnerabilities.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify systems affected by CVE-2026-2785 in the JavaScript engine prior to exploitation.

Security SummaryAI

CVE-2026-2785 is an invalid pointer vulnerability (CWE-824) in the JavaScript Engine component of Mozilla products. It affects Firefox versions prior to 148, Firefox ESR versions prior to 140.8, Thunderbird versions prior to 148, and Thunderbird versions prior to 140.8. The issue has a CVSS v3.1 base score of 9.8, indicating critical severity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution within the context of the affected browser or email client.

Mozilla security advisories (MFSA 2026-13, 15, 16, and 17) and the associated Bugzilla entry detail the patch releases that address the vulnerability. Mitigation involves updating to Firefox 148, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8, as these versions include the necessary fixes for the invalid pointer dereference in the JavaScript Engine.

Details

CWE(s): CWE-824

Affected Products

mozilla

firefox

≤ 140.8.0 · ≤ 148.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Invalid pointer dereference in JS engine enables remote arbitrary code execution in browser/email clients with no auth/UI required, directly mapping to drive-by compromise (malicious site/JS payload) and exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2013549
Issue Tracking, Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org