CVE-2026-2801

High

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 18.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-5 Response to Audit Logging Process Failures

addresses: CWE-754

Requires detection and response to audit logging failures as an unusual or exceptional condition.

CP-12 Safe Mode

addresses: CWE-754

Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.

CP-3 Contingency Training

addresses: CWE-754

Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.

IR-3 Incident Response Testing

addresses: CWE-754

IR testing directly validates checks for unusual or exceptional conditions that could indicate security incidents.

PM-31 Continuous Monitoring Strategy

addresses: CWE-754

Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions.

SA-11 Developer Testing and Evaluation

addresses: CWE-754

Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.

SC-24 Fail in Known State

addresses: CWE-754

Requires detection of unusual conditions followed by a controlled transition to the defined failure state.

SI-13 Predictable Failure Prevention

addresses: CWE-754

MTTF determination forces explicit checks for conditions that precede predictable component failure.

Security SummaryAI

CVE-2026-2801 is a vulnerability involving incorrect boundary conditions in the JavaScript WebAssembly component of Mozilla Firefox and Thunderbird. It affects versions prior to Firefox 148 and Thunderbird 148, where improper handling of boundary checks in WebAssembly processing can lead to issues. The vulnerability is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and carries a CVSS v3.1 base score of 7.5.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation results in high-impact denial of service, potentially crashing the affected browser or mail client without compromising confidentiality or integrity.

Mozilla's security advisories (MFSA 2026-13 and MFSA 2026-16) and the associated Bugzilla entry (bug 2009901) confirm the issue was addressed in Firefox 148 and Thunderbird 148. Security practitioners should ensure users update to these patched versions to mitigate the risk.

Details

CWE(s): CWE-754

Affected Products

mozilla

firefox

≤ 148.0

mozilla

thunderbird

≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability enables remote exploitation of a client application (browser/mail) to cause a crash/DoS with no user interaction or privileges required, directly mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2009901
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org