Description
Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free bug in the Inter‑Process Communication (IPC) component of Mozilla products. The flaw can allow an attacker to read or write arbitrary memory, potentially leading to remote code execution on the affected system. It is classified as CWE‑416, reflecting an application weakness where a program uses memory after it has been freed. The vulnerability was discovered and later fixed in the specified product releases.

Affected Systems

The flaw affects Mozilla Firefox and Thunderbird. For Firefox, the vulnerability is fixed in Firefox 147, Firefox ESR 115.32 and ESR 140.7. For Thunderbird, it is fixed in Thunderbird 147 and Thunderbird 140.7. Users running earlier releases of these products are exposed to the risk.

Risk and Exploitability

The CVSS score is 8.8, indicating high severity. The EPSS score is listed as < 1 %, which signifies a very low but non‑zero probability of exploitation at the time of assessment. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly stated; however, based on the nature of the flaw, it is reasonable to infer that exploitation would require an attacker to interact with the IPC mechanism, potentially through a local or remote process that can trigger the use‑after‑free condition. Given the high impact, the risk is considered significant for systems that have not yet applied the patch.

Generated by OpenCVE AI on April 15, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest patched versions of Firefox 147 or newer, Firefox ESR 115.32 or newer, ESR 140.7, Thunderbird 147 or newer, or Thunderbird 140.7 or newer.
  • Restart the system to ensure all processes match the updated binaries.
  • Continuously monitor for suspicious IPC activity and maintain other software at the latest secure versions.

Generated by OpenCVE AI on April 15, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7. Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 13 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the IPC component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
Title Use-after-free in the IPC component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:48.764Z

Reserved: 2026-01-13T13:30:55.389Z

Link: CVE-2026-0882

cve-icon Vulnrichment

Updated: 2026-01-13T18:22:23.959Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:38.750

Modified: 2026-04-13T15:17:17.050

Link: CVE-2026-0882

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-13T13:30:55Z

Links: CVE-2026-0882 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses