Description
Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential critical impact due to undefined behavior
Action: Immediate Patch
AI Analysis

Impact

The flaw is an undefined‑behaviour vulnerability in the WebRTC Signaling component of Mozilla products. The issue originates from code that processes signaling data, but the description does not specify the exact result of the flaw. Undefined behavior can lead to crashes, data corruption, or other unpredictable effects when the component encounters malformed input.

Affected Systems

Mozilla Firefox versions older than 149 and the ESR branch older than 140.9, as well as Mozilla Thunderbird versions older than 149 and the ESR branch older than 140.9, are affected by this vulnerability. The same WebRTC implementation is utilized in both the browser and the mail client, meaning the impact applies to all affected installations of either product.

Risk and Exploitability

The CVSS score of 9.8 categorizes the vulnerability as critical, while the EPSS score indicates that active exploitation is currently uncommon. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog, so no publicly known exploits are documented. The attack vector is not explicitly described in the available data; based on the component’s role, it is reasonable to infer that the flaw can be triggered by external entities that deliver WebRTC signaling traffic, though the precise method to achieve exploitation is not detailed.

Generated by OpenCVE AI on March 26, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Firefox 149 or later, or to ESR 140.9 or later.
  • Update to Thunderbird 149 or later, or to ESR 140.9 or later.
  • If an update cannot be applied immediately, monitor vendor advisories for any interim guidance and consider restricting WebRTC signaling traffic to trusted origins.

Generated by OpenCVE AI on March 26, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-475
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
First Time appeared Mozilla
Mozilla firefox
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Undefined behavior in the WebRTC: Signaling component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:36.275Z

Reserved: 2026-03-23T23:22:11.844Z

Link: CVE-2026-4705

cve-icon Vulnrichment

Updated: 2026-03-25T19:38:58.243Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:06.403

Modified: 2026-04-13T15:17:40.393

Link: CVE-2026-4705

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:32Z

Links: CVE-2026-4705 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:03Z

Weaknesses