Description
Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Uninitialized memory in Firefox and Firefox Focus for Android can lead to accidental exposure of private data such as browsing history, cookies, or stored credentials. The bug is classified as CWE‑908, Improper Memory Management, because the browser does not clear memory buffers before reuse, allowing an attacker to read residual data after a view or component is no longer in use. The vulnerability does not require code execution or elevated privileges, but it can compromise confidentiality of user information.

Affected Systems

The flaw affects Mozilla Firefox on desktop and Firefox Focus on Android. All builds released prior to Firefox 148 contain the defect, as the fix was introduced in that version. Users of earlier releases are at risk until they upgrade.

Risk and Exploitability

With a CVSS score of 6.5, the vulnerability is considered moderate, primarily affecting the confidentiality of user data due to a CWE‑908, Improper Memory Management flaw. The EPSS score of less than 1% and absence from CISA’s KEV catalog suggest that exploitation of this flaw is unlikely in the wild. The attack vector is not explicitly detailed in the available data; based on the description, it is inferred that the leak may be triggered by local user interaction or a malicious web page that causes the browser to access uninitialized memory. This does not require code execution or elevated privileges, and the impact is limited to information disclosure.

Generated by OpenCVE AI on April 15, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 148 or newer, which removes the uninitialized memory handling bug and prevents information disclosure.
  • For Firefox Focus users, confirm that the latest security update is installed on their Android device, either through the Google Play Store or direct Mozilla update channels.
  • If immediate upgrade is not possible, monitor for any local triggers that might expose sensitive memory and avoid browsing sites that may exploit the memory path while awaiting the official patch.

Generated by OpenCVE AI on April 15, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability affects Firefox < 148. Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.

Fri, 27 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-908
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Wed, 25 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability affects Firefox < 148.
Title Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:54:08.870Z

Reserved: 2026-02-19T15:06:38.903Z

Link: CVE-2026-2794

cve-icon Vulnrichment

Updated: 2026-02-26T20:17:54.804Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:27.897

Modified: 2026-04-13T15:17:28.313

Link: CVE-2026-2794

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T13:33:25Z

Links: CVE-2026-2794 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:15:10Z

Weaknesses