CVE-2026-4708
Published: 24 March 2026
Description
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the graphics component boundary condition flaw in Mozilla products via patching to fixed versions like Firefox 149.
Enables identification of systems vulnerable to CVE-2026-4708 through ongoing vulnerability scanning of Firefox and Thunderbird installations.
Addresses CWE-754 improper checks for exceptional conditions by requiring the system to handle boundary errors in the Graphics component without causing DoS crashes.
Security SummaryAI
CVE-2026-4708 is a vulnerability involving incorrect boundary conditions in the Graphics component of Mozilla products. It affects Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR, with fixes applied in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and received a CVSS v3.1 base score of 7.5.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation results in high-impact denial of service, such as application crashes, without affecting confidentiality or integrity.
Mozilla's security advisories (MFSA 2026-20, 2026-22, 2026-23, and 2026-24) and the associated Bugzilla entry (bug 2015268) detail the patches released in the specified versions, recommending users upgrade immediately to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of graphics boundary condition flaw directly enables application crashes for denial of service, mapping to T1499.004 Application or System Exploitation.