Description
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Published: 2026-02-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Netmonitor component allows an attacker to increase privileges within the user’s environment. The vulnerability is categorized as CWE‑269, indicating a weakness in the mechanism that manages user permissions. When exploited, the attacker can attain higher privilege levels than originally granted, potentially enabling further malicious actions such as executing arbitrary code or accessing protected data.

Affected Systems

Mozilla products – Firefox and Thunderbird, including both standard and ESR releases, are affected. The vulnerability exists in any version prior to Firefox 148 and Firefox ESR 140.8, as well as Thunderbird 148 and Thunderbird ESR 140.8. Users running earlier releases should verify the specific version and apply the corresponding update.

Risk and Exploitability

The CVSS base score of 8.8 classifies the flaw as high severity, while the EPSS score of less than 1 % indicates a low probability of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Based on the component’s role in network monitoring, the likely attack vector is local or semi‑remote exploitation within the application; this inference is drawn from the description, as the official CVE entry does not detail the exact vector.

Generated by OpenCVE AI on April 15, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 148 or later, or upgrade Firefox ESR to 140.8 or later.
  • Upgrade Thunderbird to version 148 or later, or upgrade Thunderbird ESR to 140.8 or later.
  • If an immediate update is not feasible, run the browsers under a non‑administrative user account with sandboxing enabled, and limit the use of network monitoring features via application settings or policy restrictions.

Generated by OpenCVE AI on April 15, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4495-1 thunderbird security update
Debian DLA Debian DLA DLA-4496-1 firefox-esr security update
Debian DSA Debian DSA DSA-6148-1 firefox-esr security update
Debian DSA Debian DSA DSA-6152-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8. Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Thu, 26 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269

Wed, 25 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr
Mozilla thunderbird

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8. Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
References

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.
Title Privilege escalation in the Netmonitor component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:53:27.919Z

Reserved: 2026-02-19T15:06:15.435Z

Link: CVE-2026-2782

cve-icon Vulnrichment

Updated: 2026-02-25T17:18:17.648Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:26.640

Modified: 2026-04-13T15:17:25.930

Link: CVE-2026-2782

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T13:33:16Z

Links: CVE-2026-2782 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses