CVE-2026-4684

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 3.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely identification, reporting, and patching of the race condition and use-after-free flaw in Firefox WebRender directly remediates CVE-2026-4684.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems running vulnerable Firefox or Thunderbird versions affected by CVE-2026-4684.

SI-16 Memory Protection partial match

prevent

Memory protections such as ASLR and DEP mitigate use-after-free exploitation in the WebRender component even on unpatched systems.

Security SummaryAI

CVE-2026-4684 is a race condition vulnerability that can lead to a use-after-free error in the Graphics: WebRender component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 149, Firefox ESR prior to 115.34 and 140.9, and Thunderbird prior to 149 and 140.9. The issue is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-416 (Use After Free), with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers can exploit this vulnerability over the network without privileges, though it requires high attack complexity and user interaction, such as visiting a malicious site or clicking a link. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, potentially allowing arbitrary code execution within the browser's rendering process.

Mozilla's security advisories (MFSA 2026-20 through 2026-23) and the associated Bugzilla entry confirm the vulnerability was addressed in the listed fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to mitigate the risk.

Details

CWE(s): CWE-362 CWE-416

Affected Products

mozilla

firefox

≤ 115.34.0 · ≤ 149.0 · 128.0 — 140.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

Browser RCE via malicious site visit or link click directly enables drive-by compromise (T1189), exploitation for client execution (T1203), and user execution via malicious link (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2011129
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-21/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org