Description
Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Memory corruption bugs were found in specific releases of Firefox and Thunderbird. The vulnerability stems from improper boundary checks that can corrupt memory and, under certain conditions, may allow an attacker to execute arbitrary code. The weakness is identified as a classic buffer overflow (CWE-120) and carries a CVSS score of 9.8, indicating a severe risk to affected systems.

Affected Systems

The affected products include Mozilla Firefox versions 148 and ESR 140.8, and Mozilla Thunderbird versions 148 and ESR 140.8. Any system still running these exact builds is vulnerable. The issue was resolved in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird ESR 140.9.

Risk and Exploitability

The CVSS score reflects a critical impact, while the EPSS assessment indicates a low probability of immediate exploitation. The vulnerability could be triggered by malicious web content or email content delivered to the affected applications. The attacker would need to supply crafted data that leads to memory corruption, after which code execution may be achieved. Though no official exploitation reports are available, the nature of the bug suggests that local or remote code execution is possible. The absence of the issue in the KEV catalog does not reduce its risk; the high severity score signals that the vulnerability should be treated with urgency.

Generated by OpenCVE AI on April 13, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 149 or newer, or switch to the ESR 140.9 release if using the extended‑support channel.
  • Update Thunderbird to version 149 or newer, or switch to the ESR 140.9 release if using the extended‑support channel.
  • Verify that the installed binaries match the official signed releases to ensure the patch was applied correctly.
  • Monitor Mozilla security advisories and patch releases for any additional updates or related issues.
  • If immediate upgrade is not possible, disable the application until the patch is available, or restrict user access to the affected features.

Generated by OpenCVE AI on April 13, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4510-1 firefox-esr security update
Debian DLA Debian DLA DLA-4511-1 thunderbird security update
Debian DSA Debian DSA DSA-6178-1 firefox-esr security update
Debian DSA Debian DSA DSA-6179-1 thunderbird security update
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9. Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 25 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9. Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:17.655Z

Reserved: 2026-03-23T23:22:41.974Z

Link: CVE-2026-4720

cve-icon Vulnrichment

Updated: 2026-03-25T13:09:40.957Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:07.893

Modified: 2026-04-13T15:17:44.017

Link: CVE-2026-4720

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-24T12:30:43Z

Links: CVE-2026-4720 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:46Z

Weaknesses