CVE-2026-4711
Published: 24 March 2026
Description
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of flaws like the use-after-free vulnerability via patching to fixed Firefox and Thunderbird versions.
Implements memory protection controls such as address space layout randomization and non-executable memory to mitigate exploitation of the use-after-free vulnerability in the Widget: Cocoa component.
Scans systems for vulnerabilities like CVE-2026-4711 to identify unpatched Firefox, ESR, and Thunderbird installations requiring remediation.
Security SummaryAI
CVE-2026-4711 is a use-after-free vulnerability (CWE-416) in the Widget: Cocoa component, affecting Mozilla Firefox, Firefox ESR, and Thunderbird. Published on 2026-03-24, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for severe impact.
The vulnerability enables exploitation by unauthenticated remote attackers over the network with low attack complexity and no user interaction required. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, such as arbitrary code execution or system compromise on affected systems.
Mozilla security advisories (MFSA 2026-20, 2026-22, 2026-23, and 2026-24) and Bugzilla entry 2017002 detail the fix, which was applied in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Security practitioners should ensure users upgrade to these patched versions for mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in browser client (Firefox/Thunderbird) directly enables remote arbitrary code execution via malicious web content (T1189 Drive-by Compromise) and client-side exploitation for code execution (T1203).