CVE-2026-4729

Critical

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was…

fixed in Firefox 149 and Thunderbird 149.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and patching of the memory safety bugs fixed in Firefox 149 and Thunderbird 149 to prevent exploitation.

SI-16 Memory Protection good match

prevent

Implements memory protection controls such as DEP and ASLR to directly prevent unauthorized code execution from memory corruption bugs like those in CVE-2026-4729.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Requires vulnerability scanning to identify the presence of CVE-2026-4729 in deployed Firefox and Thunderbird instances for subsequent remediation.

Security SummaryAI

CVE-2026-4729 is a set of memory safety bugs (classified under CWE-120: Buffer Copy without Checking Size of Input) affecting Firefox version 148 and Thunderbird version 148. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be leveraged with sufficient effort to enable arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote compromise.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation could grant attackers high confidentiality, integrity, and availability impacts, potentially allowing full control over the affected browser or email client processes, including execution of arbitrary code within the victim's environment.

Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) address the issue, with fixes implemented in Firefox 149 and Thunderbird 149. Security practitioners should prioritize updating affected instances to these versions, as detailed in the referenced Bugzilla entries for bugs 1944033, 1997282, 2009213, 2011412, 2021925, and 2022034.

Details

CWE(s): CWE-120

Affected Products

mozilla

firefox

≤ 149.0

mozilla

thunderbird

≤ 149.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Memory corruption RCE in client software (browser/email) directly enables drive-by compromise via malicious content (T1189), exploitation for client execution (T1203), and arbitrary code/command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1944033%2C1997282%2C2009213%2C2011412%2C2021925%2C2022034
Broken Link · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
Vendor Advisory · security@mozilla.org