Description
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Published: 2026-02-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Code Execution
Action: Apply Patch
AI Analysis

Impact

The flaw occurs in the JavaScript WebAssembly handler where an object is freed too early while still referenced, creating a use‑after‑free condition. This weakness (CWE‑416) allows memory corruption if an attacker supplies crafted WebAssembly code that can be executed in the context of the JavaScript engine. The description does not detail a confirmed exploit, but such a condition can potentially lead to arbitrary code execution or denial of service within the affected application.

Affected Systems

The vulnerability touches Mozilla’s Firefox and Thunderbird browsers. Versions prior to 148 are susceptible; the issue was patched in Firefox 148 and Thunderbird 148. The affected releases are those listed by the CPE identifiers or by the vendor product names above.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS is under 1 %, implying that market exploitation is unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require an attacker to deliver malicious WebAssembly payload to the victim’s browser, which typically means a compromised site or social engineering. Given the low EPSS, the actual risk for most users is low, but the existence of a use‑after‑free flaw warrants patching.

Generated by OpenCVE AI on April 15, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest supported Mozilla Firefox release, ensuring it is at least version 148 or newer.
  • Apply the latest supported Mozilla Thunderbird release, ensuring it is at least version 148 or newer.
  • Keep the browsers up to date by enabling automatic updates or regularly checking Mozilla’s security advisories, and if an immediate update is not possible, consider restricting or blocking WebAssembly execution.

Generated by OpenCVE AI on April 15, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148. Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird

Tue, 24 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148. Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148.
References

Tue, 24 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148.
Title Use-after-free in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:54:33.221Z

Reserved: 2026-02-19T15:07:01.585Z

Link: CVE-2026-2804

cve-icon Vulnrichment

Updated: 2026-02-24T15:55:59.764Z

cve-icon NVD

Status : Modified

Published: 2026-02-24T14:16:28.917

Modified: 2026-04-13T15:17:31.677

Link: CVE-2026-2804

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-24T13:33:32Z

Links: CVE-2026-2804 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses