Description
Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An incorrect boundary condition in the Audio/Video component of Firefox and Thunderbird can lead to an out‑of‑bounds write that, if triggered, may allow an attacker to execute arbitrary code. The compromise would grant full control of the affected process, potentially leaking or altering user data and providing a foothold for further attacks.

Affected Systems

The vulnerability is present in all releases of Mozilla Firefox and Mozilla Thunderbird that are older than Firefox 149 and Firefox ESR 140.9, and older than Thunderbird 149 and Thunderbird ESR 140.9. Any system running those versions on any platform can be impacted unless mitigated by a patch.

Risk and Exploitability

The CVSS score of 9.8 signals a high severity. The EPSS score is below 1 %, indicating that the craft of an exploit may currently be uncommon, but the impact remains significant. The flaw is not listed in CISA’s KEV catalog. The likely exploit path is a crafted audio or video file that triggers the overflow when processed by the browser or mail client, potentially allowing remote code execution from a malicious website or from locally opened media. This inference is based on the nature of the affected component and the typical attack vectors for such vulnerabilities.

Generated by OpenCVE AI on April 13, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 149 or newer, or Firefox ESR 140.9 or newer.
  • Update Mozilla Thunderbird to version 149 or newer, or Thunderbird ESR 140.9 or newer.
  • Verify that the installation is the latest patched build before using the application.
  • If an immediate update cannot be applied, avoid opening untrusted media files and use the vendor’s update site to obtain the latest security patches.

Generated by OpenCVE AI on April 13, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Incorrect boundary conditions in the Audio/Video component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:46.845Z

Reserved: 2026-03-23T23:22:21.623Z

Link: CVE-2026-4710

cve-icon Vulnrichment

Updated: 2026-03-26T18:54:02.557Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:06.910

Modified: 2026-04-13T15:17:42.167

Link: CVE-2026-4710

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:35Z

Links: CVE-2026-4710 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:00Z

Weaknesses