CVE-2026-4693

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0003 7.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of flaws like the incorrect boundary conditions in Firefox's Audio/Video Playback component to prevent remote DoS exploitation.

SI-11 Error Handling partial match

prevent

Requires robust error handling for exceptional conditions during media playback to avoid crashes and denial-of-service from CWE-754 boundary issues.

SC-5 Denial-of-service Protection partial match

preventdetect

Limits the effects of and detects denial-of-service events resulting from exploitation of the high availability impact vulnerability in the playback component.

Security SummaryAI

CVE-2026-4693 is a vulnerability involving incorrect boundary conditions in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 149, Firefox ESR prior to 115.34 and 140.9, and Thunderbird prior to 149 and 140.9. The issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and carries a CVSS v3.1 base score of 7.5.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation results in a denial-of-service condition due to high availability impact, with no effects on confidentiality or integrity.

Mozilla security advisories (MFSA 2026-20 through 2026-23) and the associated Bugzilla entry detail the fix applied in the specified versions of Firefox and Thunderbird, recommending immediate upgrades to patched releases for mitigation.

Details

CWE(s): CWE-754

Affected Products

mozilla

firefox

≤ 115.34.0 · ≤ 149.0 · 128.0 — 140.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated network exploitation of boundary condition flaw in media playback directly enables application/system crash for DoS impact (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2018102
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-21/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org