CVE-2026-4716

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Score 0.0003 7.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, prioritization, and remediation of flaws like the uninitialized memory and boundary condition errors in the JavaScript Engine via patching to fixed Firefox and Thunderbird versions.

SI-16 Memory Protection good match

prevent

Implements memory protection controls such as address space layout randomization and data execution prevention to minimize unauthorized access and exploitation of uninitialized memory disclosures in the JavaScript Engine.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-4716, enabling targeted remediation.

Security SummaryAI

CVE-2026-4716 is a high-severity vulnerability involving incorrect boundary conditions and uninitialized memory in the JavaScript Engine component. It affects Mozilla Firefox versions prior to 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue, classified under CWE-908 (Use of Uninitialized Resource), received a CVSS v3.1 base score of 9.1, reflecting its critical nature due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote attacker can exploit this vulnerability over the network without authentication or user interaction. Successful exploitation enables high-impact confidentiality violations, such as disclosure of sensitive memory contents, and high-impact availability disruptions, potentially leading to denial-of-service conditions like application crashes, all within the unchanged security scope.

Mozilla addressed the vulnerability in the specified fixed releases: Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Security advisories, including MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24, along with Bugzilla entry 2018592, detail the patches and recommend immediate updates to mitigate the risk.

Details

CWE(s): CWE-908

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability directly enables memory content disclosure (maps to data collection from local system) and application crashes via uninitialized memory use (maps to application exploitation for DoS); no RCE/integrity impact indicated so execution techniques excluded.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2018592
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org