CVE-2026-4710

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of system flaws, directly mandating patching of this critical buffer overflow vulnerability in Firefox and Thunderbird.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR, DEP, and stack canaries that directly mitigate exploitation of buffer overflow vulnerabilities such as CVE-2026-4710.

SI-10 Information Input Validation partial match

prevent

Mandates validation of information inputs to the Audio/Video component, addressing improper boundary conditions that enable the buffer overflow.

Security SummaryAI

CVE-2026-4710 involves incorrect boundary conditions in the Audio/Video component of Mozilla products, including Firefox and Thunderbird. This vulnerability, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and NVD-CWE-noinfo, was addressed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. It carries a CVSS v3.1 base score of 9.8, reflecting its critical severity, and was published on 2026-03-24.

The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). Attackers can achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to arbitrary code execution, data compromise, or system disruption on affected systems.

Mozilla's security advisories (MFSA2026-20, MFSA2026-22, MFSA2026-23, MFSA2026-24) and Bugzilla entry (bug 2016370) confirm the issue and recommend updating to the fixed versions—Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9—as the primary mitigation. No additional workarounds are specified in the provided references.

Details

CWE(s): NVD-CWE-noinfo CWE-119

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

mozilla

thunderbird

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Remote memory corruption (CWE-119) in client application (Firefox/Thunderbird A/V component) directly enables arbitrary code execution with no user interaction or privileges, mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2016370
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
Vendor Advisory · security@mozilla.org