CVE-2026-4715

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0003 7.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely patching of software flaws like the uninitialized memory vulnerability in Firefox Canvas2D to eliminate exploitability.

RA-5 Vulnerability Monitoring and Scanning partial match

preventdetect

Requires scanning for vulnerabilities such as CVE-2026-4715 in browser components and initiating remediation to affected systems.

SI-16 Memory Protection partial match

prevent

Provides memory protection mechanisms that mitigate unauthorized disclosure or crashes from uninitialized memory exploitation.

Security SummaryAI

CVE-2026-4715 is an uninitialized memory vulnerability (CWE-908) in the Graphics: Canvas2D component of Mozilla products. It affects Firefox versions prior to 149, Firefox ESR versions prior to 140.9, Thunderbird versions prior to 149, and Thunderbird versions prior to 140.9. The vulnerability was publicly disclosed on 2026-03-24 and carries a CVSS v3.1 base score of 9.1, indicating critical severity.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, no user interaction, and without changing the scope of impact. Successful exploitation enables high confidentiality and availability impacts, such as unauthorized disclosure of sensitive information from uninitialized memory or denial-of-service via crashes, without affecting integrity.

Mozilla security advisories (MFSA 2026-20, 22, 23, 24) and the associated Bugzilla entry (bug 2018405) detail the patch, recommending immediate updates to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9 to mitigate the issue. No workarounds are specified in the provided references.

Details

CWE(s): CWE-908

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Uninitialized memory read in client-side Canvas2D rendering enables remote exploitation via malicious web content or email (Drive-by Compromise) and direct browser crashes for DoS (Application or System Exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2018405
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org