Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the JavaScript engine, which can allow an attacker to manipulate memory after the original reference has been released. This flaw enables arbitrary code execution, potentially compromising confidentiality, integrity, and availability of the affected system. The weakness is categorized as CWE-416 and is classified as critical with a CVSS score of 9.8.

Affected Systems

The flaw affects Mozilla Firefox versions prior to 147 and Firefox ESR prior to 140.7, as well as Mozilla Thunderbird versions prior to 147 and Thunderbird ESR prior to 140.7. These products are used in a wide range of desktop and mobile environments, and any installation of the listed software that has not applied the fix is vulnerable.

Risk and Exploitability

With a low EPSS (<1%) the measured likelihood of exploitation is minimal, but the high CVSS suggests that an exploit, if discovered, would be devastating. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the attack vector is likely through malicious web content or email attachments that trigger the JavaScript engine, but no explicit attack path is provided by the vendor advisory.

Generated by OpenCVE AI on April 15, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 147 or Firefox ESR 140.7 or newer
  • Upgrade to Thunderbird 147 or Thunderbird ESR 140.7 or newer
  • If an upgrade cannot be performed immediately, consider disabling JavaScript in the security settings or using an alternative browser that is not affected.

Generated by OpenCVE AI on April 15, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7. Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7.
Title Use-after-free in the JavaScript Engine component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:52.987Z

Reserved: 2026-01-13T13:30:56.343Z

Link: CVE-2026-0884

cve-icon Vulnrichment

Updated: 2026-01-13T15:36:28.191Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:38.950

Modified: 2026-04-13T15:17:17.393

Link: CVE-2026-0884

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T13:30:56Z

Links: CVE-2026-0884 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses