CVE-2026-4688

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 6.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability by requiring timely patching to Firefox 149+, ESR 140.9+, or Thunderbird equivalents as specified in Mozilla advisories.

SI-16 Memory Protection partial match

prevent

Mitigates use-after-free exploitation through memory protection mechanisms like ASLR and DEP that hinder arbitrary code execution in sandboxed environments.

SC-39 Process Isolation partial match

prevent

Strengthens process isolation boundaries to limit the impact of sandbox escapes originating from flaws in components like Disability Access APIs.

Security SummaryAI

CVE-2026-4688 is a critical sandbox escape vulnerability stemming from a use-after-free flaw (CWE-416) in the Disability Access APIs component of Mozilla products. It affects Firefox prior to version 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue was publicly disclosed on March 24, 2026, and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating its severe potential impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables sandbox escape, granting elevated privileges and resulting in high-impact confidentiality, integrity, and availability violations, potentially leading to full system compromise on affected browsers or email clients.

Mozilla's security advisories (MFSA 2026-20, 22, 23, and 24) and the associated Bugzilla entry (bug 2016373) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating to Firefox 149 or later, Firefox ESR 140.9 or later, Thunderbird 149 or later, and Thunderbird 140.9 or later to mitigate the risk.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free sandbox escape in client application (Firefox/Thunderbird) enables remote unauthenticated code execution with scope change to full system privileges, directly mapping to T1203 (client execution) and T1068 (privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2016373
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org