CVE-2026-2791

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Mitigation bypass in the Networking: Cache component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of critical flaws like CVE-2026-2791 through vendor patches to Firefox 148 and Thunderbird 140.8, preventing exploitation of the cache mitigation bypass.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning to identify systems running vulnerable Firefox or Thunderbird versions affected by CVE-2026-2791, enabling proactive patching.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures monitoring and application of security advisories such as MFSA2026-13 to promptly update browsers and mitigate the cache component bypass in CVE-2026-2791.

Security SummaryAI

CVE-2026-2791 is a mitigation bypass vulnerability in the Networking: Cache component of Mozilla Firefox and Thunderbird. The issue, published on 2026-02-24, affects versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8, where it was fixed. It is associated with CWE-288 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. Successful exploitation enables high-impact disruption to confidentiality, integrity, and availability, allowing attackers to bypass security mitigations via the cache component.

Mozilla's security advisories (MFSA2026-13, MFSA2026-15, MFSA2026-16, and MFSA2026-17), along with Bugzilla entry 2015220, document the vulnerability and confirm that updating to the specified fixed versions—Firefox 148, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8—mitigates the issue.

Details

CWE(s): NVD-CWE-noinfo CWE-288

Affected Products

mozilla

firefox

≤ 140.8.0 · ≤ 148.0

mozilla

thunderbird

≤ 140.8.0 · ≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1562.001 Disable or Modify Tools Stealth

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.

attack.mitre.org →

Why these techniques?

Mitigation bypass in browser cache component (CWE-288) with no-auth remote trigger and full CIA impact directly enables client-side exploitation (T1203) while impairing defenses by subverting security controls (T1562.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2015220
Issue Tracking, Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-15/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-17/
Vendor Advisory · security@mozilla.org