Description
Denial-of-service in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial‑of‑Service
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to induce a denial‑of‑service condition within the WebRTC signaling subsystem. By issuing specially crafted signaling messages, an adversary can exhaust system resources, causing the browser or mail client to hang or crash. The flaw does not compromise confidentiality or integrity; its effect is purely availability loss, classified as a high‑severity resource‑exhaustion problem.

Affected Systems

Mozilla's Firefox web browser and Thunderbird mail client are affected. The issue is present in all releases before Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9, all of which have issued a fix in the stated versions.

Risk and Exploitability

With a CVSS score of 7.5, the flaw is considered high. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and the vulnerability has not been catalogued in the CISA Known Exploited Vulnerabilities list. The attack likely requires the victim to receive or interact with malicious WebRTC signaling traffic, which can occur during normal use of the browser or mail client. Because the vector is remote, the potential scale of impact is many users, but remediation is straightforward.

Generated by OpenCVE AI on April 13, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 149 or later, or Firefox ESR 140.9 or newer.
  • Upgrade to Thunderbird 149 or later, or Thunderbird ESR 140.9 or newer.
  • If an upgrade is not possible, disable WebRTC signaling in Firefox by setting media.peerconnection.enabled to false in about:config; for Thunderbird, configure to disable peer connections if available.
  • Continuously monitor the Mozilla security advisory releases for additional updates or guidance.

Generated by OpenCVE AI on April 13, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Denial-of-service in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Denial-of-service in the WebRTC: Signaling component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:34.107Z

Reserved: 2026-03-23T23:22:09.666Z

Link: CVE-2026-4704

cve-icon Vulnrichment

Updated: 2026-03-25T17:50:53.144Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:06.303

Modified: 2026-04-13T15:17:40.207

Link: CVE-2026-4704

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:32Z

Links: CVE-2026-4704 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:07Z

Weaknesses