Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free error in the JavaScript engine component of Mozilla Firefox and Thunderbird. The flaw causes the engine to access memory that has already been released, leading to undefined behavior. While the CVE text does not detail a specific attacker scenario, such memory corruption can enable arbitrary code execution, data corruption, or denial of service if an attacker supplies malicious script to the vulnerable application.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird for all releases below version 149 are affected. The issue exists in any build of these products before the 149 release, irrespective of operating system.

Risk and Exploitability

The CVSS score of 9.8 classifies this flaw as critical. No EPSS score is provided and the vulnerability is not listed in the CISA KEV catalog. Because the defect resides in the JavaScript engine, the likely attack vector is a malicious web page or email attachment that runs code in the user's context, allowing remote exploitation. An attacker who delivers crafted JavaScript can potentially achieve arbitrary code execution or destabilize the application. Updating to Firefox 149 or later and Thunderbird 149 or later removes the flaw and eliminates the risk.

Generated by OpenCVE AI on March 25, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to version 149 or later.
  • Update Thunderbird to version 149 or later.
  • If immediate update is not possible, consider disabling or restricting JavaScript execution for untrusted content until a patch is applied.

Generated by OpenCVE AI on March 25, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149. Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149.
Title Use-after-free in the JavaScript Engine component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:27.197Z

Reserved: 2026-03-23T23:22:44.920Z

Link: CVE-2026-4723

cve-icon Vulnrichment

Updated: 2026-03-25T19:47:50.233Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.190

Modified: 2026-04-13T15:17:44.557

Link: CVE-2026-4723

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:31Z

Links: CVE-2026-4723 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:50:40Z

Weaknesses