CVE-2026-4720

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to…

run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires organizations to identify, report, and correct system flaws like the memory safety bugs in CVE-2026-4720 through timely patching to updated versions such as Firefox 149.

SI-16 Memory Protection good match

prevent

SI-16 implements memory protection mechanisms such as non-executable memory and address space randomization to prevent unauthorized code execution from memory corruption exploits in CVE-2026-4720.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 mandates vulnerability scanning to detect systems running vulnerable Firefox ESR 140.8 or Thunderbird ESR 140.8 affected by CVE-2026-4720's memory safety bugs.

Security SummaryAI

CVE-2026-4720 consists of multiple memory safety bugs, classified under CWE-120, present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. Some of these bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited to run arbitrary code with sufficient effort. The vulnerability was published on 2026-03-24 and carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), enabling potential arbitrary code execution on affected systems.

Mozilla advisories MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24 detail the issues, with fixes available in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird ESR 140.9. Additional technical information is provided in Bugzilla entries for bugs 2004652, 2019372, 2021922, 2022567, and 2022733.

Details

CWE(s): CWE-120

Affected Products

mozilla

firefox

≤ 140.9.0 · ≤ 149.0

mozilla

thunderbird

≤ 140.9.0 · ≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Memory corruption RCE (CWE-120) in client applications (Firefox/Thunderbird) with no auth/UI required directly enables drive-by compromise via malicious web/email content and exploitation for client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/buglist.cgi?bug_id=2004652%2C2019372%2C2021922%2C2022567%2C2022733
Broken Link · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-22/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-24/
Vendor Advisory · security@mozilla.org