Description
Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption via use-after-free in the JavaScript garbage collector
Action: Patch Immediately
AI Analysis

Impact

The CVE describes a use-after-free bug in the JavaScript garbage collector component of Mozilla Firefox and Thunderbird. The flaw can lead to memory corruption and potentially unstable behavior of the JavaScript engine. The advisory labels the issue as a moderate-severity vulnerability, but the vendor does not specify that the bug can be used to execute code or otherwise compromise data integrity or confidentiality.

Affected Systems

Mozilla Firefox and Thunderbird are impacted. Versions prior to Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird ESR 140.7 contain the flaw. The security advisories indicate that the vulnerability is fixed in the aforementioned releases and all later builds.

Risk and Exploitability

The CVSS score is 6.5, and the EPSS score is less than 1 %, signifying moderate severity but a low probability of exploitation at the time of analysis. The advisory does not list the vulnerability in the CISA KEV catalog. While the exact attack vector is not specified, it is reasonable to infer that an attacker would need to trigger the defect within the JavaScript engine—potentially by serving malicious scripts via a webpage or an email attachment. Successful exploitation would likely result in memory corruption; the impact does not include arbitrary code execution or system compromise per the vendor's description.

Generated by OpenCVE AI on April 15, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 147 or later, or to Firefox ESR 140.7 or later, and to Thunderbird 147 or later, or to Thunderbird ESR 140.7 or later.
  • If upgrading immediately is not possible, restrict or disable JavaScript in the affected products to mitigate exploitation risk.
  • Continue to monitor Mozilla security advisories for additional mitigation guidance and further updates.

Generated by OpenCVE AI on April 15, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Use-after-free in the JavaScript: GC component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7. Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: GC component. This vulnerability affects Firefox < 147 and Firefox ESR < 140.7.
Title Use-after-free in the JavaScript: GC component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:54.970Z

Reserved: 2026-01-13T13:30:56.753Z

Link: CVE-2026-0885

cve-icon Vulnrichment

Updated: 2026-01-13T20:25:42.035Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:39.050

Modified: 2026-04-13T15:17:17.567

Link: CVE-2026-0885

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T13:30:56Z

Links: CVE-2026-0885 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T22:00:06Z

Weaknesses