CVE-2026-4727
Published: 24 March 2026
Description
Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely flaw remediation through patching Firefox and Thunderbird to version 149 or later, addressing the NSS resource exhaustion vulnerability.
Provides denial-of-service protection mechanisms such as resource limiting and validation to prevent exploitation of the uncontrolled resource consumption in NSS.
Ensures resource availability by allocating and monitoring resources to prevent exhaustion attacks like this CVE in the NSS libraries.
Security SummaryAI
CVE-2026-4727 is a denial-of-service vulnerability (CWE-400: Uncontrolled Resource Consumption) in the Libraries component of NSS (Network Security Services). It affects Mozilla products that incorporate NSS, including Firefox and Thunderbird prior to version 149. The issue was publicly disclosed on March 24, 2026, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no authentication privileges or user interaction. Successful exploitation leads to a denial of service, causing high impact to availability through resource exhaustion, with no effects on confidentiality or integrity.
Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23, along with Bugzilla entry 2008112, confirm the vulnerability and state that it was addressed in Firefox 149 and Thunderbird 149. Security practitioners should prioritize updating to these patched versions or later to mitigate the risk.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote resource exhaustion DoS (CWE-400) in NSS library directly enables T1499.004 Application or System Exploitation to impact availability with no auth/UI required.