Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Execution of Arbitrary Code
Action: Immediate Patch
AI Analysis

Impact

Use‑after‑free in the JavaScript engine component allows an attacker to access memory that has already been freed. The vulnerability is fixed in Firefox 149 and Thunderbird 149. Based on the high CVSS score and the nature of use‑after‑free, it is inferred that an attacker could manipulate memory to achieve arbitrary code execution, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected on any version older than 149 because the flaw resides in their JavaScript engine component. Both products have been patched in release 149, which includes proper memory deallocation and safety checks.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, yet the EPSS score of less than 1% suggests a low current likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is remote, delivered through malicious web pages or email attachments that execute JavaScript within the browser or mail client. Exploitation requires the victim to open or run the crafted content, and the target must be running a pre‑149 version of the affected product.

Generated by OpenCVE AI on April 13, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 149 or later.
  • Upgrade Mozilla Thunderbird to version 149 or later.

Generated by OpenCVE AI on April 13, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149. Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149.
Title Use-after-free in the JavaScript Engine component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:27.197Z

Reserved: 2026-03-23T23:22:44.920Z

Link: CVE-2026-4723

cve-icon Vulnrichment

Updated: 2026-03-25T19:47:50.233Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.190

Modified: 2026-04-13T15:17:44.557

Link: CVE-2026-4723

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:31Z

Links: CVE-2026-4723 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:09Z

Weaknesses