CVE-2026-2805

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Invalid pointer in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation of known software flaws like this invalid pointer vulnerability through patching to Firefox 148 or Thunderbird 148.

SI-16 Memory Protection partial match

prevent

Implements memory protection mechanisms such as ASLR and DEP to mitigate exploitation of memory corruption from invalid pointer dereferences in the DOM component.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-2805.

Security SummaryAI

CVE-2026-2805 is an invalid pointer vulnerability in the DOM Core & HTML component of Mozilla Firefox and Thunderbird. The issue, associated with CWE-824 (Access of Uninitialized Pointer), allows for critical memory corruption and was assigned a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction to achieve high-impact confidentiality, integrity, and availability violations. Successful exploitation could lead to arbitrary code execution, data exposure, or system compromise within the browser's sandboxed environment.

Mozilla's security advisories (MFSA 2026-13 and MFSA 2026-16) and Bugzilla entry (bug 2014549) detail the fix applied in Firefox 148 and Thunderbird 148. Security practitioners should ensure users update to these versions or later to mitigate the risk, as no workarounds are specified in the provided references.

Details

CWE(s): NVD-CWE-noinfo CWE-824

Affected Products

mozilla

firefox

≤ 148.0

mozilla

thunderbird

≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

CVE describes unauthenticated remote memory corruption/RCE in client browser (Firefox/Thunderbird) with no user interaction required, directly enabling drive-by compromise via malicious sites and exploitation for client execution to run arbitrary code in the sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014549
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org