Description
Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Published: 2026-02-24
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential denial of service or application crash due to race condition in JavaScript GC
Action: Apply Patch
AI Analysis

Impact

A race condition exists within the JavaScript garbage collector component. This flaw can allow the garbage collector to behave unpredictably, potentially corrupting memory or causing the browser or email client to crash. Such crashes are a typical denial‑of‑service outcome for end‑users.

Affected Systems

The vulnerability affects Mozilla Firefox and Mozilla Thunderbird installations that use the legacy JavaScript engine. All versions up to and including 147 are vulnerable because the fix was introduced in Firefox 148 and Thunderbird 148.

Risk and Exploitability

The CVSS score of 4.2 indicates moderate severity, while the EPSS score of less than 1% suggests that exploitation has not been observed and is unlikely. The flaw is not listed in the CISA KEV catalog. Based on the type of weakness, an attacker would need to trigger the race, likely through a locally executed malicious script or as a privileged user. There is no public evidence of remote exploitation; the attack surface appears to be limited to local or same‑origin contexts.

Generated by OpenCVE AI on April 15, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 148 or later and Thunderbird to version 148 or later.
  • If an immediate upgrade is not possible, disable or restrict browser extensions and email add‑ons that execute arbitrary JavaScript as a temporary mitigation.
  • Monitor system logs for unexpected crashes or anomalies and consider applying additional sandboxing or process isolation configurations.

Generated by OpenCVE AI on April 15, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148. Race condition in the JavaScript: GC component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148. Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
References

Tue, 24 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-362
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Race condition in the JavaScript: GC component. This vulnerability affects Firefox < 148.
Title Race condition in the JavaScript: GC component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:54:28.482Z

Reserved: 2026-02-19T15:06:56.714Z

Link: CVE-2026-2802

cve-icon Vulnrichment

Updated: 2026-02-24T15:56:54.199Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:28.703

Modified: 2026-04-13T15:17:31.320

Link: CVE-2026-2802

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T13:33:30Z

Links: CVE-2026-2802 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses