Description
Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Uninitialized memory within the Graphics: Canvas2D component can allow an attacker to influence memory used during rendering, potentially leading to arbitrary code execution or disclosure of sensitive data. The flaw arises from improper initialization of internal buffers when a Canvas2D instance processes input from a web page or email attachment. The high CVSS score of 9.1 indicates that, if exploited, an attacker could push the application into an unsafe state and execute code of their choosing.

Affected Systems

Mozilla Firefox releases older than 149 and ESR versions below 140.9, as well as Mozilla Thunderbird releases older than 149 and ESR versions below 140.9, are affected. Versions starting with Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9 contain the fix and are considered safe.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1 and an EPSS probability of less than 1 %, suggesting a low likelihood of exploitation but a severe potential impact. It is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote: a malicious web page or email attachment that triggers Canvas2D rendering could exploit the flaw, as inferred from the exploit model and the component involved. Organizations should treat this as a critical risk until a patch is applied.

Generated by OpenCVE AI on April 13, 2026 at 16:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Firefox version 149 or newer, or Firefox ESR 140.9 or newer.
  • Upgrade Thunderbird to version 149 or newer, or Thunderbird ESR 140.9 or newer.
  • Check for recent updates on official Mozilla security advisories if your current release cannot be updated immediately.
  • Consider disabling or limiting Canvas2D rendering in your browser or email client settings until a formal patch is deployed.
  • Maintain routine update checks for all Mozilla products to ensure new fixes are applied promptly.

Generated by OpenCVE AI on April 13, 2026 at 16:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla firefox Esr
Vendors & Products Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-908
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Uninitialized memory in the Graphics: Canvas2D component
References

Subscriptions

Mozilla Firefox Firefox Esr
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:59.102Z

Reserved: 2026-03-23T23:22:31.885Z

Link: CVE-2026-4715

cve-icon Vulnrichment

Updated: 2026-03-25T19:36:33.548Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:07.410

Modified: 2026-04-13T15:17:43.070

Link: CVE-2026-4715

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:38Z

Links: CVE-2026-4715 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:54Z

Weaknesses