CVE-2026-4696

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 8.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Use-after-free in the Layout: Text and Fonts component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely patching of known software flaws like this use-after-free vulnerability in Firefox and Thunderbird.

SI-16 Memory Protection partial match

prevent

Implements memory safeguards such as ASLR and DEP that mitigate exploitation of use-after-free errors in the browser's rendering engine.

SC-39 Process Isolation partial match

prevent

Enforces process isolation via browser sandboxing to limit the impact and potential code execution from the layout component vulnerability.

Security SummaryAI

CVE-2026-4696 is a use-after-free vulnerability (CWE-416) in the Layout: Text and Fonts component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 149, Firefox ESR prior to 115.34 and 140.9, and Thunderbird prior to 149 and 140.9. The issue was publicly disclosed on 2026-03-24 and carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its potential for high impact.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges or user interaction. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution within the browser's rendering engine.

Mozilla addressed the vulnerability in the specified fixed releases: Firefox 149, Firefox ESR 115.34 and 140.9, Thunderbird 149, and Thunderbird 140.9. Detailed information is available in Mozilla's security advisories MFSA 2026-20 through MFSA 2026-23 and Bugzilla entry 2020190. Security practitioners should prioritize updating affected products to mitigate exposure.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.34.0 · ≤ 149.0 · 128.0 — 140.9.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Use-after-free RCE in browser rendering engine (no auth/interaction) directly enables drive-by delivery of malicious content and client-side exploitation for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2020190
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-21/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org