Description
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in the Disability Access APIs component enables a sandbox escape, allowing attackers to cause the browser or mail client to execute code that it normally would not be permitted to run. The vulnerability corresponds to the Use After Free weakness (CWE‑416) and involves improper handling of certain memory resources (CWE‑825).

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Versions prior to Firefox 149 and Thunderbird 149, including the extended support releases Firefox ESR 140.9 and Thunderbird ESR 140.9, contain the bug; subsequent releases contain the fix.

Risk and Exploitability

The CVSS score of 9.6 indicates a high‑severity risk, yet the EPSS score of less than 1 % suggests that exploitation is currently unlikely and the vulnerability is not listed in the CISA KEV catalog. Based on the CVE description, it is inferred that an attacker would need to supply malicious sandboxed content—such as a crafted web page or document—to trigger the use‑after‑free; if successful, the attacker could achieve full process compromise. The attack vector is inferred to be via privileged sandboxed content rather than a direct remote network exploit.

Generated by OpenCVE AI on April 13, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Firefox update (version 149 or newer)
  • Apply the latest Thunderbird update (version 149 or newer)
  • For users on the ESR line, install the ESR 140.9 update or newer
  • If upgrading is delayed, restrict access to potentially dangerous content through browser security settings or content security policy

Generated by OpenCVE AI on April 13, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Sandbox escape due to use-after-free in the Disability Access APIs component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:48:35.360Z

Reserved: 2026-03-23T23:21:37.949Z

Link: CVE-2026-4688

cve-icon Vulnrichment

Updated: 2026-03-25T14:04:39.501Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:04.640

Modified: 2026-04-13T15:17:37.207

Link: CVE-2026-4688

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T12:30:22Z

Links: CVE-2026-4688 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:42Z

Weaknesses