Description
Use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Published: 2026-02-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in the JavaScript engine’s JIT component allows an attacker to manipulate the memory management of the engine. Exploiting this defect can lead to arbitrary code execution, permitting complete compromise of confidentiality, integrity, and availability of the affected browser or mail client. The weakness is classified as CWE‑416, a typical memory corruption vulnerability where a reference is used after the target has been freed.

Affected Systems

Mozilla’s Firefox and Thunderbird browsers are impacted when running versions prior to 148 for the standard release and prior to ESR 140.8 for the extended‑support line. Specifically, any installation of Firefox 147 or earlier, Firefox ESR 140.7 or earlier, Thunderbird 147 or earlier, or Thunderbird ESR 140.7 or earlier is vulnerable.

Risk and Exploitability

The CVSS v3.1 severity is 9.8, indicating a critical risk. The EPSS indicates a very low probability of exploitation in the short term (< 1 %) and the vulnerability is not in the CISA Known Exploited Vulnerabilities catalog, suggesting no active exploitation campaigns are publicly documented. However, the attack path is likely through malicious web content or compromised email attachments that trigger the JavaScript engine, and attackers could gain control of the user’s system remotely. The combination of high severity and the remote nature of the vectors underlines the need for prompt mitigation.

Generated by OpenCVE AI on April 15, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 148 or later (or Firefox ESR 140.8 or later) and Thunderbird 148 or later (or Thunderbird ESR 140.8 or later).
  • If an immediate update cannot be applied, reduce the attack surface by disabling JavaScript or restricting script execution from untrusted origins using browser security settings or content‑security policies.
  • Stay current with Mozilla security releases and regularly review the MFSA advisories for any additional patches or mitigations.

Generated by OpenCVE AI on April 15, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4495-1 thunderbird security update
Debian DLA Debian DLA DLA-4496-1 firefox-esr security update
Debian DSA Debian DSA DSA-6148-1 firefox-esr security update
Debian DSA Debian DSA DSA-6152-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. Use-after-free in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8. Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Title Use-after-free in the JavaScript Engine: JIT component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-16T14:28:29.474Z

Reserved: 2026-02-19T15:05:37.180Z

Link: CVE-2026-2766

cve-icon Vulnrichment

Updated: 2026-02-28T02:32:17.275Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:24.973

Modified: 2026-04-13T15:17:22.677

Link: CVE-2026-2766

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T13:33:04Z

Links: CVE-2026-2766 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses