CVE-2026-4725

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0001 2.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free flaw by requiring timely application of vendor patches such as Firefox 149 and Thunderbird 149.

SI-16 Memory Protection good match

prevent

Implements memory protections like address space layout randomization and data execution prevention to mitigate use-after-free vulnerabilities and prevent arbitrary code execution.

SC-39 Process Isolation partial match

prevent

Enforces process isolation techniques such as browser sandboxing to restrict the scope of sandbox escape attempts even if the use-after-free occurs.

Security SummaryAI

CVE-2026-4725 is a sandbox escape vulnerability stemming from a use-after-free flaw in the Graphics: Canvas2D component of Mozilla Firefox and Thunderbird. Assigned CWE-416, it received a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change with high impacts across confidentiality, integrity, and availability. The issue was addressed in Firefox version 149 and Thunderbird version 149.

Remote attackers can exploit this vulnerability by tricking users into visiting a malicious website or loading crafted content that triggers the use-after-free in Canvas2D rendering. No authentication or user privileges are needed, and exploitation requires no user interaction beyond normal browsing. Successful exploitation allows attackers to escape the browser's sandbox, potentially leading to arbitrary code execution on the host system with full confidentiality, integrity, and availability impacts.

Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) and the associated Bugzilla entry (bug 2017108) detail the patch deployment in Firefox 149 and Thunderbird 149, recommending immediate updates to mitigate the flaw. Practitioners should prioritize upgrading affected browsers and monitor for patches in derivative products.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables drive-by compromise via malicious website/crafted content triggering UAF in browser Canvas2D (T1189), client application exploitation for code execution (T1203), and sandbox escape for host-level privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2017108
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org