Description
Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates from undefined behavior within the WebRTC: Signaling component, specifically involving improper handling of signaling data that can trigger uninitialized variable usage and related erroneous logic. These coding defects can cause the affected application to crash or enter an unintended state when processing certain signaling packets, potentially exposing the system to denial of service. The weakness aligns with CWE‑475 (Undefined Behavior) and CWE‑758 (Uninitialized Variable).

Affected Systems

Mozilla Firefox versions before 149 and Firefox ESR versions before 140.9 are vulnerable. Likewise, Mozilla Thunderbird versions before 149 and Thunderbird ESR versions before 140.9 contain the same flaw and must be updated to a fixed release.

Risk and Exploitability

The CVSS base score of 8.1 reflects a high severity vulnerability, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, an attacker could provoke the error by delivering crafted WebRTC signaling messages over the network, potentially from a malicious web page or compromised network element, leading to application crashes or service disruption.

Generated by OpenCVE AI on April 13, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 149 or later, or apply the ESR 140.9 update set.
  • Upgrade Mozilla Thunderbird to version 149 or later, or apply the ESR 140.9 update set.
  • If an upgrade cannot be performed immediately, disable WebRTC entirely in the affected applications to prevent loading the vulnerable component.
  • Block outbound WebRTC signaling traffic using firewall rules as an additional temporary safeguard.
  • Continuously monitor Mozilla security advisory pages for further guidance or subsequent patches.

Generated by OpenCVE AI on April 13, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-475
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 25 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-122

Wed, 25 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Undefined behavior in the WebRTC: Signaling component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:12.032Z

Reserved: 2026-03-23T23:22:37.804Z

Link: CVE-2026-4718

cve-icon Vulnrichment

Updated: 2026-03-25T19:12:40.293Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:07.700

Modified: 2026-04-13T15:17:43.610

Link: CVE-2026-4718

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-24T12:30:42Z

Links: CVE-2026-4718 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:48Z

Weaknesses