Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This flaw is a use‑after‑free condition in the JavaScript engine that can let an attacker run arbitrary code inside the browser, potentially granting full control over the victim’s machine. The vulnerability compromises confidentiality, integrity, and availability by allowing the execution of malicious payloads. While the description does not specify an attack vector, it is inferred that the flaw requires the delivery of harmful JavaScript, such as through a compromised web page or a malicious email attachment, to activate the exploit.

Affected Systems

Mozilla Firefox and Thunderbird are affected, specifically any release prior to Firefox 149 or Firefox ESR 140.9 for the browser, and any release prior to Thunderbird 149 or Thunderbird ESR 140.9 for the mail client.

Risk and Exploitability

The CVSS score of 9.8 marks it as critical, yet the EPSS score is below 1% indicating a low likelihood of widespread exploitation. The vulnerability is not in the CISA KEV catalog. Exploitation presumably requires delivery of malicious JavaScript to the user’s machine, so the attack vector is inferred as remote code execution via compromised web content or malicious email attachments. Successful exploitation depends on a vulnerable version of the JavaScript engine and user interaction that causes the code to run.

Generated by OpenCVE AI on April 13, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 149 or newer, including ESR 140.9 or newer.
  • Upgrade Thunderbird to version 149 or newer, including ESR 140.9 or newer.

Generated by OpenCVE AI on April 13, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Use-after-free in the JavaScript Engine component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:19.589Z

Reserved: 2026-03-23T23:22:05.456Z

Link: CVE-2026-4701

cve-icon Vulnrichment

Updated: 2026-03-26T13:05:14.368Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:06.103

Modified: 2026-04-13T15:17:39.750

Link: CVE-2026-4701

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:29Z

Links: CVE-2026-4701 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:28Z

Weaknesses