CVE-2026-4687

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

EPSS Score 0.0003 7.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching and remediation of known flaws like the sandbox escape in CVE-2026-4687 fixed in specified Firefox and Thunderbird versions.

SI-10 Information Input Validation partial match

prevent

Mandates validation of information inputs to address the buffer copy without size checking (CWE-120) and improper boundary conditions in the Telemetry component.

SI-16 Memory Protection partial match

prevent

Implements memory protections to mitigate exploitation of buffer-related vulnerabilities that enable sandbox escapes and availability disruptions.

Security SummaryAI

CVE-2026-4687 is a sandbox escape vulnerability caused by incorrect boundary conditions in the Telemetry component of Mozilla Firefox and Thunderbird. Published on 2026-03-24, it carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) and maps to CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CWE-120 (Buffer Copy without Checking Size of Input). The flaw affects Firefox and Thunderbird versions prior to the patched releases.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or authentication. Exploitation results in a change of scope from the sandboxed context, enabling high-impact availability disruption such as application crashes or denial of service, while confidentiality and integrity remain unaffected.

Mozilla fixed the vulnerability in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Security advisories MFSA2026-20, MFSA2026-21, MFSA2026-22, and MFSA2026-23, along with Bugzilla entry 2016368, provide further details on the patches and recommend immediate updates to mitigate the risk.

Details

CWE(s): CWE-754 CWE-120

Affected Products

mozilla

firefox

≤ 115.34.0 · ≤ 149.0 · 128.0 — 140.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Sandbox escape with scope change directly enables privilege escalation (T1068) and client-side exploitation (T1203); explicit availability impact via crashes maps to application exploitation for DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2016368
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-21/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org