Description
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption leading to Potential Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an incorrect boundary check in the graphics Canvas2D component that can lead to out‑of‑bounds memory access, causing memory corruption. When exploited, this could allow an attacker to execute arbitrary code with the privileges of the running user, potentially affecting confidentiality, integrity, and availability of the system. The weakness corresponds to CWE‑754 (Array Index Value Exceeds One More Than Array Length) and CWE‑787 (Out‑of‑Bounds Write).

Affected Systems

Mozilla Firefox versions older than 149, Firefox ESR versions older than 115.34 or 140.9, and Mozilla Thunderbird versions older than 149 or 140.9 are impacted. All builds are affected, including ESR channels. The issue is tied to the Canvas2D rendering engine used by both browsers and the email client.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is classified as high. The EPSS score is below 1 %, indicating that exploitation is considered low probability, and it is not listed in the CISA KEV catalog. The likely attack vector is remote exploitation via a crafted web page, email attachment, or malicious content that triggers the Canvas2D rendering path. An attacker would need to deliver the malicious content to a vulnerable user and rely on the boundary conditions to corrupt memory, which may lead to code execution.

Generated by OpenCVE AI on March 26, 2026 at 04:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 149 or later, or to the latest Firefox ESR release.
  • Upgrade Mozilla Thunderbird to version 149 or later, or to the latest Firefox ESR release for Thunderbird.
  • If an upgrade is not immediately possible, temporarily disable or block the Canvas2D component via policy or configuration settings, if available.
  • Verify that the installed package satisfies the version thresholds specified in the advisory, and double‑check the build string for ESR tags.
  • Monitor official Mozilla release notes and security advisories for any additional mitigations or workarounds.

Generated by OpenCVE AI on March 26, 2026 at 04:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, and Firefox ESR < 140.9. Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-754
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, and Firefox ESR < 140.9.
Title Incorrect boundary conditions in the Graphics: Canvas2D component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:47:24.448Z

Reserved: 2026-03-23T23:21:31.793Z

Link: CVE-2026-4685

cve-icon Vulnrichment

Updated: 2026-03-26T12:43:37.795Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:04.323

Modified: 2026-04-13T15:17:36.533

Link: CVE-2026-4685

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T12:30:21Z

Links: CVE-2026-4685 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:21Z

Weaknesses