Description
Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

A flaw in the interprocess communication component permits a local attacker to elevate privileges on the system. The vulnerability stems from improper handling of permissions, allowing a compromised process to gain higher rights. This increase in authority can compromise confidentiality, integrity, or availability depending on the attacker’s objectives.

Affected Systems

Mozilla products, specifically Firefox and Thunderbird, are affected. Versions prior to 149 of each product contain the flaw; the issue was addressed in Firefox 149 and Thunderbird 149. Users running older releases should verify their current version and apply updates accordingly.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity level, yet the EPSS score is below 1%, indicating a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be local, requiring an attacker with access to the user’s session or to the IPC mechanism. Exploitation would need to exploit the permission misconfiguration within the IPC subsystem to gain escalated privileges.

Generated by OpenCVE AI on April 13, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 149 or later.
  • Update Thunderbird to version 149 or later.

Generated by OpenCVE AI on April 13, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the IPC component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-270
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the IPC component. This vulnerability affects Firefox < 149. Privilege escalation in the IPC component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the IPC component. This vulnerability affects Firefox < 149.
Title Privilege escalation in the IPC component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:22.290Z

Reserved: 2026-03-23T23:22:42.876Z

Link: CVE-2026-4722

cve-icon Vulnrichment

Updated: 2026-03-24T14:55:58.386Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.093

Modified: 2026-04-13T15:17:44.393

Link: CVE-2026-4722

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:30Z

Links: CVE-2026-4722 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:11Z

Weaknesses