CVE-2026-4692

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0003 7.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and correction of the specific sandbox escape flaw via timely patching to fixed Firefox and Thunderbird versions.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Requires monitoring and dissemination of relevant Mozilla security advisories like MFSA2026-20 through MFSA2026-23 to enable prompt awareness and patching of CVE-2026-4692.

RA-5 Vulnerability Monitoring and Scanning good match

prevent

Provides vulnerability scanning to detect and prioritize remediation of critical browser vulnerabilities like CVE-2026-4692 in deployed Firefox and Thunderbird instances.

Security SummaryAI

CVE-2026-4692 is a sandbox escape vulnerability in the Responsive Design Mode component of Mozilla Firefox and Thunderbird. It affects Firefox versions prior to 149, Firefox ESR prior to 115.34 and 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. Published on 2026-03-24, the flaw carries a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), highlighting its critical severity due to network accessibility, low complexity, no prerequisites, and scope change with full triad impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation enables sandbox escape, potentially granting attackers high-level access to compromise confidentiality, integrity, and availability of the affected browser or email client processes.

Mozilla fixed CVE-2026-4692 in Firefox 149, Firefox ESR 115.34 and 140.9, Thunderbird 149, and Thunderbird 140.9. Security practitioners should review advisories MFSA2026-20, MFSA2026-21, MFSA2026-22, and MFSA2026-23, along with Bugzilla entry 2017643, for patch deployment guidance and additional mitigation details.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

mozilla

firefox

≤ 115.34.0 · ≤ 149.0 · 128.0 — 140.9.0

mozilla

thunderbird

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Sandbox escape in client browser (Firefox/Thunderbird) with scope change and full impact directly enables T1203 (Exploitation for Client Execution) to run code outside the browser and T1068 (Exploitation for Privilege Escalation) to break sandbox restrictions for host-level access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2017643
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-21/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
Vendor Advisory · security@mozilla.org