CVE-2026-2807

Critical

Published: 24 February 2026

Published

24 February 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox 147 and Thunderbird 147. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was…

fixed in Firefox 148 and Thunderbird 148.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of flaws like memory safety bugs through patching to Firefox/Thunderbird 148, preventing exploitation.

SI-16 Memory Protection good match

prevent

Implements memory protections such as ASLR and DEP to minimize impact of memory corruption from out-of-bounds writes, hindering arbitrary code execution.

SI-5 Security Alerts, Advisories, and Directives partial match

detectrespond

Requires monitoring security advisories like Mozilla's MFSA2026-13/16 to identify and address the CVE-2026-2807 vulnerability promptly.

Security SummaryAI

CVE-2026-2807 encompasses multiple memory safety bugs in Firefox 147 and Thunderbird 147, classified under CWE-787 (Out-of-bounds Write). These bugs demonstrated evidence of memory corruption, and Mozilla presumes that with sufficient effort, some could be exploited to execute arbitrary code. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Remote attackers can exploit this vulnerability over the network with low attack complexity, without requiring user privileges or interaction. Successful exploitation would grant high-impact confidentiality, integrity, and availability consequences, potentially enabling arbitrary code execution on affected systems.

Mozilla addressed CVE-2026-2807 in Firefox 148 and Thunderbird 148. Detailed information is available in Mozilla Security Advisories MFSA2026-13 and MFSA2026-16, along with the associated Bugzilla bugs (1756056, 1999402, 2004872, 2006037, 2012855).

Details

CWE(s): CWE-787

Affected Products

mozilla

firefox

≤ 148.0

mozilla

thunderbird

≤ 148.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Memory corruption RCE in browser/email client (no auth/UI required) directly enables drive-by compromise of clients and exploitation for client-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1756056%2C1999402%2C2004872%2C2006037%2C2012855
Broken Link · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-13/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-16/
Vendor Advisory · security@mozilla.org