CVE-2026-4717

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws like the privilege escalation vulnerability in Firefox and Thunderbird's Netmonitor component via vendor patches.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on processes and components, limiting the scope and impact of privilege escalation even if the Netmonitor vulnerability is exploited.

SC-39 Process Isolation partial match

prevent

Provides process isolation to contain privilege escalation attempts within the Netmonitor component, preventing spread to higher-privileged system areas.

Security SummaryAI

CVE-2026-4717 is a privilege escalation vulnerability in the Netmonitor component affecting Mozilla Firefox prior to version 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers require no authentication or privileges to exploit this vulnerability over the network. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, allowing attackers to escalate privileges within affected applications and potentially gain unauthorized control over the victim's system.

Mozilla security advisories (MFSA 2026-20, 22, 23, and 24) and the associated Bugzilla entry detail the fix applied in the specified versions. Security practitioners should prioritize updating to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9 to mitigate the vulnerability.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE describes a remote privilege escalation vulnerability with no auth/UI requirements that directly enables T1068 (Exploitation for Privilege Escalation) to gain control within the browser process and host system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2021695
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
security@mozilla.org