CVE-2026-4695

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0002 6.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the boundary condition vulnerability by requiring timely identification, reporting, and patching to fixed versions like Firefox 149 and ESR 140.9.

SI-11 Error Handling good match

prevent

Requires the system to generate no unhandled errors and manage exceptions without compromising availability, directly countering the crash-inducing improper boundary checks in Web Codecs.

SI-10 Information Input Validation partial match

prevent

Enforces validation of external inputs for length, range, and boundary conditions before processing in components like Audio/Video Web Codecs, mitigating exploitation vectors.

Security SummaryAI

CVE-2026-4695 is a vulnerability involving incorrect boundary conditions in the Audio/Video: Web Codecs component of Mozilla products. It affects Firefox, Firefox ESR, Thunderbird, and was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) with a CVSS v3.1 base score of 7.5.

The vulnerability can be exploited remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). Successful exploitation results in high-impact denial of service (A:H) with no impact on confidentiality or integrity, potentially causing application crashes.

Mozilla security advisories, including MFSA 2026-20, 2026-22, 2026-23, and 2026-24, along with Bugzilla entry 2020030, detail the patch deployments in the specified versions, recommending users update to these releases for mitigation.

Details

CWE(s): CWE-754

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of improper boundary conditions in Web Codecs, directly causing application crashes and high-impact denial of service with no code execution, mapping to T1499.004 (Application or System Exploitation under Endpoint Denial of Service).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2020030
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org