CVE-2026-4726

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0001 2.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates CVE-2026-4726 by requiring timely application of patches such as Firefox/Thunderbird version 149 to eliminate the XML parser resource exhaustion vulnerability.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection implements mechanisms to counter resource exhaustion attacks like this uncontrolled consumption in the XML component.

SC-6 Resource Availability good match

prevent

Resource availability protection safeguards against unauthorized resource depletion, directly addressing the CWE-400 uncontrolled consumption triggered by malicious XML inputs.

Security SummaryAI

CVE-2026-4726 is a denial-of-service vulnerability in the XML component of Mozilla Firefox and Thunderbird, stemming from uncontrolled resource consumption as classified under CWE-400. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects. The vulnerability was fixed in Firefox version 149 and Thunderbird version 149.

A remote, unauthenticated attacker can exploit this over the network with low complexity and no user interaction required. Exploitation triggers resource exhaustion in the XML parser, leading to denial of service such as application crashes or severe performance degradation in affected browsers or email clients.

Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23 document the patch details and release notes, with additional technical analysis available in Bugzilla bug 1955311. Mitigation involves updating to Firefox 149 or Thunderbird 149, as no workarounds are specified in the provided references.

Details

CWE(s): CWE-400

Affected Products

mozilla

firefox

≤ 149.0

mozilla

thunderbird

≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

CVE directly describes remote exploitation of XML parser for resource exhaustion (CWE-400), matching T1499.003 Application Exhaustion Flood subtechnique under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1955311
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org