CVE-2026-41431

High

Published: 11 May 2026

Published

11 May 2026

Modified

11 May 2026

KEV Added

—

Patch

—

CVSS Score 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0004 10.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41431 is a high-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability. Its CVSS base score is 8.0 (High).

Operationally, ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-14 Signed Components

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

SA-19 Component Authenticity

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

SC-17 Public Key Infrastructure Certificates

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

SC-21 Secure Name/Address Resolution Service (Recursive or Caching Resolver)

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

SI-7 Software, Firmware, and Information Integrity

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

SR-11 Component Authenticity

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

NVD Description

Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users…

contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-347

References

https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e
security-advisories@github.com
https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q
security-advisories@github.com
https://github.com/zen-browser/desktop/security/advisories/GHSA-qpj9-m8jc-mw6q
134c704f-9b21-4f2e-91b3-4a467353bcc0