CVE-2026-4701

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely patching of the use-after-free vulnerability in the JavaScript engine to the fixed Firefox and Thunderbird versions, preventing exploitation.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and DEP that raise the bar for successful exploitation of the use-after-free in the JavaScript engine.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify systems running affected versions of Firefox, Firefox ESR, or Thunderbird prior to the fixed releases.

Security SummaryAI

CVE-2026-4701 is a use-after-free vulnerability (CWE-416) in the JavaScript Engine component of Mozilla products. It affects Firefox, Firefox ESR, and Thunderbird versions prior to the fixed releases of Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability was publicly disclosed on 2026-03-24.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution within the context of the affected browser or mail client.

Mozilla security advisories (MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24) and Bugzilla entry 2009303 detail the issue and confirm mitigation through updates to the specified fixed versions. Security practitioners should prioritize patching affected installations to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Use-after-free in JS engine directly enables remote arbitrary code execution on client (browser/mail) via crafted JavaScript, mapping to client exploitation and JS interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2009303
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org