Description
Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
Published: 2026-01-13
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption with potential arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a set of memory safety bugs in Firefox 146 and Thunderbird 146 that can corrupt memory. Several of these bugs were shown to corrupt memory, and the description indicates that with sufficient effort they could have allowed an attacker to run arbitrary code on the victim machine. The weakness is a classic buffer overflow (CWE-119).

Affected Systems

Mozilla Firefox version 146 and Mozilla Thunderbird version 146 are affected. The bugs were fixed in Firefox 147 and Thunderbird 147, so any user running the older major releases is at risk.

Risk and Exploitability

The CVSS score of 9.8 reflects the severe impact of the vulnerability, with full confidentiality, integrity, and availability compromise if exploited. However, the EPSS score is below 1% and the issue is not listed in the CISA KEV catalog, indicating that exploitation is currently unlikely or not widely observed. Based on the nature of the bug, the probable attack vector involves delivering crafted content—such as a malicious webpage or email—that triggers the memory corruption. No specific external attack method is defined in the advisory, so the inference is that a standard content-based exploit is the likely path.

Generated by OpenCVE AI on April 15, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Firefox release (147 or newer).
  • Apply the latest Thunderbird release (147 or newer).
  • Enable automatic updates to ensure the system receives future security patches promptly.

Generated by OpenCVE AI on April 15, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147. Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147. Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147 and Thunderbird < 147.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 147.
Title Memory safety bugs fixed in Firefox 147 and Thunderbird 147
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:52:12.599Z

Reserved: 2026-01-13T13:30:59.693Z

Link: CVE-2026-0892

cve-icon Vulnrichment

Updated: 2026-01-13T14:23:56.154Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:39.723

Modified: 2026-04-13T15:17:18.797

Link: CVE-2026-0892

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T13:30:59Z

Links: CVE-2026-0892 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses