Description
Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw in Firefox and Thunderbird’s CSS Parsing and Computation component can corrupt memory and allow an attacker to execute code in the context of the user or system. The vulnerability is scored at 9.8 on the CVSS scale, reflecting the potential for complete compromise. While the description does not specify a particular entry point, the likely attack vector is rendering malicious web content or email that contains specially crafted CSS. This inference is based on the nature of CSS parsing in web browsers and email clients.

Affected Systems

The flaw affects Mozilla Firefox versions older than 149, as well as all ESR builds below 115.34 and below 140.9. Thunderbird versions older than 149 and ESR builds below 140.9 are also vulnerable. No specific patch version has been listed in the data, indicating that the user must upgrade to a version that is not listed as affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8 and an EPSS score of less than 1%, and it is not featured in the CISA KEV list. This combination indicates a high-severity flaw that is unlikely to see widespread exploitation currently, but the potential for remote code execution is significant. Successful exploitation would require an attacker to supply malformed CSS that triggers the use‑after‑free condition, most plausibly through a malicious web page or email attachment. The impact could be total system compromise if the flaw is executed with sufficient privileges.

Generated by OpenCVE AI on March 26, 2026 at 04:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 149 or newer, or apply any ESR releases 115.34 or 140.9 that contain the fix.
  • Update Thunderbird to version 149 or newer, or apply any ESR releases 140.9 that contain the fix.
  • If a patch is not yet available, avoid browsing untrusted sites or opening suspicious emails until a security update is released.

Generated by OpenCVE AI on March 26, 2026 at 04:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, and Firefox ESR < 140.9. Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, and Firefox ESR < 140.9.
Title Use-after-free in the CSS Parsing and Computation component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:48:42.999Z

Reserved: 2026-03-23T23:21:44.154Z

Link: CVE-2026-4691

cve-icon Vulnrichment

Updated: 2026-03-26T12:49:26.344Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:04.937

Modified: 2026-04-13T15:17:37.860

Link: CVE-2026-4691

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T12:30:24Z

Links: CVE-2026-4691 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:17Z

Weaknesses