Description
Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Published: 2026-05-11
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Zen Browser’s updater previously removed all MAR signature verification, meaning the browser accepted and installed unsigned update files without cryptographic checks. This flaw allows an attacker who can compromise the update server or the release pipeline to deliver arbitrary code to any user who automatically updates their browser, effectively giving the attacker remote code execution capability on those machines. The weakness is a form of weak or missing cryptographic verification (CWE-347).

Affected Systems

Zen Browser (zen-browser:desktop) versions earlier than 1.19.9b are vulnerable. These releases use the Mozilla Application Resource (MAR) updater that was forked from Firefox but stripped of all signature and verification code. Users of these versions will receive unsigned MAR packages and have them applied without validation.

Risk and Exploitability

The CVSS score for this vulnerability is 8, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, although the risk remains significant because any compromise of the update infrastructure can affect all users. The likely attack vector is a compromised update server or the GitHub release pipeline; from the description it is inferred that the attacker would mount an update supply‑chain attack to inject malicious code. Once a malicious MAR file is served, the unverified updater will install it, allowing the attacker to run arbitrary code.

Generated by OpenCVE AI on May 11, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zen Browser to version 1.19.9b or later, which restores MAR signature verification.
  • Verify that the auto‑update configuration points to the official signed update channel and not a third‑party mirror.
  • If a quick upgrade is not possible, temporarily disable automatic updates until the patch is applied to prevent unverified MAR files from being installed.

Generated by OpenCVE AI on May 11, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Zen-browser
Zen-browser desktop
Vendors & Products Zen-browser
Zen-browser desktop

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.
Title Zen Browser MAR updater ships with signature verification removed — unsigned updates accepted
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Zen-browser Desktop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:31:38.146Z

Reserved: 2026-04-20T15:32:33.814Z

Link: CVE-2026-41431

cve-icon Vulnrichment

Updated: 2026-05-11T18:31:33.175Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:34.280

Modified: 2026-05-11T19:16:22.897

Link: CVE-2026-41431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:51Z

Weaknesses