CVE-2026-4722
Published: 24 March 2026
Description
Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the CVE by requiring timely remediation through patching Firefox and Thunderbird to version 149 or later where the IPC privilege escalation flaw is fixed.
Enforces a reference monitor for access control decisions in IPC communications, mitigating unauthorized privilege escalations between browser processes.
Maintains process isolation in the browser to limit the scope and impact of IPC-based privilege escalation exploits.
Security SummaryAI
CVE-2026-4722 is a privilege escalation vulnerability in the IPC component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 149, where the issue was addressed. Published on 2026-03-24, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE category NVD-CWE-noinfo.
The vulnerability can be exploited by remote attackers requiring low attack complexity and no privileges, though user interaction is necessary. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability within the unchanged scope, allowing privilege escalation in the affected browser processes.
Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23 detail the fix implemented in Firefox 149 and Thunderbird 149. Additional technical information is available in Bugzilla entry 2010097.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE explicitly describes a privilege escalation vulnerability in the browser IPC component (sandbox escape pattern), directly enabling T1068 Exploitation for Privilege Escalation via remote exploit with user interaction.