Description
Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Published: 2026-02-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is an integer overflow in the JavaScript Standard Library component of Mozilla Firefox and Thunderbird. The overflow could cause memory corruption or instability. Based on the description, it is inferred that this could enable arbitrary code execution in the worst case. The high CVSS score of 9.8 indicates that a successful exploitation would have severe consequences, although the official advisory does not explicitly confirm code execution as a documented outcome.

Affected Systems

The vulnerability affects all releases of Mozilla Firefox and Mozilla Thunderbird before version 148 and Firefox ESR 140.8 or Thunderbird ESR 140.8. All builds released after those versions contain the fix and are not affected.

Risk and Exploitability

The exploitation probability remains very low, with an EPSS score below 1 % and no listing in the current CISA Known Exploited Vulnerabilities catalog. Attackers would need to induce the affected engine to execute malicious JavaScript—such as hosting a malicious web page in Firefox or delivering a corrupt email to Thunderbird. While the mechanism could be leveraged for code execution, this has not been publicly demonstrated, so the threat remains inferred rather than confirmed.

Generated by OpenCVE AI on April 15, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 148 or later, including ESR 140.8 and newer releases.
  • Upgrade Thunderbird to version 148 or later, including ESR 140.8 and newer releases.
  • If an immediate upgrade is not possible, restrict the execution of untrusted JavaScript by disabling scripts from unknown origins, applying a browser policy that sandbox or block external scripts, or otherwise limiting the ability of the application to run arbitrary JavaScript content.

Generated by OpenCVE AI on April 15, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4495-1 thunderbird security update
Debian DLA Debian DLA DLA-4496-1 firefox-esr security update
Debian DSA Debian DSA DSA-6148-1 firefox-esr security update
Debian DSA Debian DSA DSA-6152-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. Integer overflow in the JavaScript: Standard Library component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8. Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Title Integer overflow in the JavaScript: Standard Library component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-15T15:39:20.955Z

Reserved: 2026-02-19T15:05:27.383Z

Link: CVE-2026-2762

cve-icon Vulnrichment

Updated: 2026-02-28T02:24:56.199Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:24.480

Modified: 2026-04-13T15:17:21.310

Link: CVE-2026-2762

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T13:33:01Z

Links: CVE-2026-2762 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses