CVE-2026-2804
Published: 24 February 2026
Description
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
Security SummaryAI
CVE-2026-2804 is a use-after-free vulnerability (CWE-416) in the JavaScript WebAssembly component of Mozilla Firefox and Thunderbird. It affects versions prior to Firefox 148 and Thunderbird 148, where the issue was addressed. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, no required privileges, but dependence on user interaction.
Remote attackers can exploit this vulnerability by tricking users into visiting a malicious website or interacting with crafted content that triggers the use-after-free in WebAssembly processing. Successful exploitation allows limited impacts, including partial disclosure of sensitive information from the browser's context and modification of some data, without affecting availability or requiring elevated privileges.
Mozilla's security advisories (MFSA 2026-13 and MFSA 2026-16) and the associated Bugzilla entry (bug 2013584) confirm the fix in Firefox 148 and Thunderbird 148. Security practitioners should prioritize updating affected browsers to these versions to mitigate the risk, as no workarounds are specified in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in browser WebAssembly is directly triggered by visiting a malicious website, enabling drive-by compromise (T1189).