CVE-2026-4709
Published: 24 March 2026
Description
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of known software flaws like this boundary condition vulnerability in the GMP component via vendor patches such as those in Firefox 149 and Thunderbird 149.
Requires vulnerability scanning to identify deployments of vulnerable Firefox and Thunderbird versions affected by this GMP boundary condition issue.
Ensures monitoring of security advisories like MFSA 2026-20, 2026-21, and 2026-22 to facilitate prompt patching of this CVE.
Security SummaryAI
CVE-2026-4709 is a vulnerability stemming from incorrect boundary conditions in the Audio/Video: GMP component of Mozilla products. It affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, Thunderbird versions prior to 149 and 140.9. The issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and carries a CVSS v3.1 base score of 7.5.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation results in high-impact denial of service, such as application crashes, with no impact on confidentiality or integrity and unchanged scope.
Mozilla security advisories (MFSA 2026-20, 2026-21, and 2026-22) and related Bugzilla entries detail the patch status, confirming fixes in the specified Firefox and Thunderbird versions. Security practitioners should prioritize updating affected installations to mitigate exposure.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of the boundary condition flaw in the GMP media component directly results in application crashes, mapping to Endpoint DoS via application/system exploitation.