CVE-2026-4724
Published: 24 March 2026
Description
Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of software flaws like the undefined behavior in Firefox/Thunderbird audio/video components fixed in version 149.
Mandates receiving, disseminating, and acting on vendor security advisories such as MFSA 2026-20 and MFSA 2026-23 to apply patches mitigating this CVE.
Enables vulnerability scanning to identify systems running vulnerable Firefox or Thunderbird versions prior to 149 affected by this critical flaw.
Security SummaryAI
CVE-2026-4724 is a vulnerability involving undefined behavior in the Audio/Video component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 149 and is classified under CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The issue carries a CVSS v3.1 base score of 9.1, indicating critical severity due to its potential for high impact on confidentiality and integrity.
Remote attackers can exploit this vulnerability over a network with low complexity, requiring no privileges or user interaction. Successful exploitation allows attackers to achieve high confidentiality impact by accessing sensitive data and high integrity impact by modifying application data, without affecting availability or changing the scope.
Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) and the associated Bugzilla entry detail the fix implemented in Firefox 149 and Thunderbird 149. Security practitioners should prioritize updating affected browsers to these versions for mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploit in browser media component (no auth/UI) enables drive-by compromise via malicious sites and direct client application exploitation for code execution.