CVE-2026-4718
Published: 24 March 2026
Description
Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, reporting, and correction of software flaws like the undefined behavior in WebRTC Signaling via vendor patches in Firefox 149+ and Thunderbird 149+.
Enables scanning and monitoring to identify systems running vulnerable versions of Firefox, Firefox ESR, or Thunderbird affected by CVE-2026-4718.
Requires monitoring security advisories like Mozilla MFSA 2026-20 to promptly learn of and respond to CVE-2026-4718 patches.
Security SummaryAI
CVE-2026-4718 is a vulnerability involving undefined behavior in the WebRTC Signaling component, affecting Mozilla Firefox, Firefox ESR, and Thunderbird prior to their respective fixed versions. Published on March 24, 2026, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and is associated with CWE-758.
Attackers can exploit this vulnerability remotely over the network with low complexity and no required privileges, though user interaction is necessary. Successful exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to sensitive data or modification of information within the affected browser or email client context.
Mozilla's security advisories (MFSA 2026-20, 22, 23, and 24) and the associated Bugzilla entry (bug 2014864) detail the issue and confirm patches in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Undefined behavior in browser/WebRTC client component (high C/I impact, remote+UI:R) directly enables drive-by site visits or crafted content to trigger client-side exploitation and code/data access.