CVE-2026-4705

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, prioritization, and patching of flaws like CVE-2026-4705 in Firefox and Thunderbird WebRTC signaling component.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Requires vulnerability scanning to identify unpatched instances of CVE-2026-4705 in deployed Mozilla browsers and clients.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures dissemination of and response to security advisories like MFSA2026-20 documenting CVE-2026-4705 and its patches.

Security SummaryAI

CVE-2026-4705 involves undefined behavior in the WebRTC Signaling component, affecting Mozilla Firefox and Thunderbird products. The vulnerability was addressed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9, meaning earlier versions remain susceptible. It carries associated CWEs including NVD-CWE-noinfo and CWE-758, and was published on 2026-03-24.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 9.8.

Mozilla's security advisories, including MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24, along with Bugzilla entry 2014873, document the issue and confirm fixes in the specified versions as the primary mitigation. Security practitioners should prioritize updating affected browsers and email clients to patched releases.

Details

CWE(s): NVD-CWE-noinfo CWE-758

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Undefined behavior in WebRTC signaling component with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates remote client-side memory corruption or code execution flaw in Firefox/Thunderbird; directly enables T1203 (Exploitation for Client Execution) via malicious WebRTC signaling without requiring privileges or explicit user interaction beyond normal app usage.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014873
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org