CVE-2026-2795
Published: 24 February 2026
Description
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Mitigating Controls (NIST 800-53 r5)AI
Mandates identification, reporting, and timely correction of flaws like the use-after-free in Firefox/Thunderbird JavaScript GC, fixed in versions 148.
Implements memory safeguards such as ASLR and DEP to mitigate exploitation of the use-after-free vulnerability leading to arbitrary code execution.
Requires vulnerability scanning and monitoring to identify systems with vulnerable Firefox or Thunderbird versions affected by CVE-2026-2795.
Security SummaryAI
CVE-2026-2795 is a use-after-free vulnerability (CWE-416) in the JavaScript Garbage Collector (GC) component of Mozilla Firefox and Thunderbird. Published on 2026-02-24, it received a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact.
The vulnerability can be exploited remotely by unauthenticated attackers over the network with low attack complexity and no user interaction required. Exploitation grants no privileges beforehand but can achieve high impacts on confidentiality, integrity, and availability, such as arbitrary code execution or system compromise within the browser context.
Mozilla security advisories MFSA 2026-13 and MFSA 2026-16 confirm the issue was fixed in Firefox 148 and Thunderbird 148, urging users to apply these updates immediately. Further technical details, including patch information, are documented in Bugzilla entry 2010940.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free RCE in browser JS engine directly enables drive-by compromise via malicious web content (T1189) and exploitation of client software vulnerabilities for code execution (T1203).