Description
Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Published: 2026-02-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw arises from incorrect boundary handling in the Web Audio component, creating a buffer over-read/write that can crash the browser or enable arbitrary code execution. This boundary error is catalogued as CWE-119 and can be leveraged by a malicious web page or email containing a crafted AudioContext to corrupt memory or trigger an exploit. As a result, an attacker could compromise the confidentiality, integrity, and availability of the affected system.

Affected Systems

Mozilla Firefox users running any version prior to Firefox 148, including ESR builds older than versions 115.33 and 140.8, are impacted. Similarly, Thunderbird users on versions before Thunderbird 148, including ESR builds older than 140.8, are at risk.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is classified as critical, yet the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is inferred to be a user accessing a malicious web page or opening a crafted email that exploits the Web Audio API; an attacker must first entice a vulnerable user to load the content. No mitigations are documented beyond remediation by an update, so the exposure persists until the affected products receive a patch or the component is disabled.

Generated by OpenCVE AI on April 15, 2026 at 15:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Mozilla’s official patch by upgrading to Firefox 148 or newer, or ESR 115.33/140.8, and upgrade Thunderbird to version 148 or newer, or ESR 140.8 or newer.
  • If an immediate update is not possible, block or disable the Web Audio API through browser configuration (e.g., via about:config or policy) to prevent any scripts from creating AudioContext objects.
  • Enforce a strict Content Security Policy that limits or disallows JavaScript that constructs audio contexts, and regularly review mail and web content handling settings to mitigate potential exploitation.

Generated by OpenCVE AI on April 15, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4495-1 thunderbird security update
Debian DLA Debian DLA DLA-4496-1 firefox-esr security update
Debian DSA Debian DSA DSA-6148-1 firefox-esr security update
Debian DSA Debian DSA DSA-6152-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. Incorrect boundary conditions in the Web Audio component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8. Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Web Audio component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, and Firefox ESR < 140.8.
Title Incorrect boundary conditions in the Web Audio component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-16T14:31:07.312Z

Reserved: 2026-02-19T15:05:53.926Z

Link: CVE-2026-2773

cve-icon Vulnrichment

Updated: 2026-02-28T02:38:38.639Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:25.703

Modified: 2026-04-13T15:17:23.983

Link: CVE-2026-2773

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T13:33:10Z

Links: CVE-2026-2773 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses