CVE-2026-4724 - Vulnerability Details

- Undefined behavior in the Audio/Video component

Description

Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Published: 2026-03-24

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability arises from undefined behavior in the audio/video component of the application. Undefined behavior can result in memory corruption, which may allow an attacker to compromise the integrity of the running process or trigger a crash. The high CVSS score of 9.1 reflects the severity of the potential impact, indicating that a successful exploitation could have significant consequences for confidentiality, integrity, or availability of user data.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. All releases prior to version 149 contain the flaw; the issue is fixed in Firefox 149 and Thunderbird 149.

Risk and Exploitability

The CVSS score indicates a severe vulnerability, while the EPSS score of less than 1% suggests that exploit activity is currently rare. The vulnerability is not listed in the CISA KEV catalog. Based on the component involved, the likely attack vector involves the processing of malicious audio or video content that could be delivered remotely or locally, but this inference is drawn from the description and the nature of the component, not from explicit input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`149`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`149`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox::::::::
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[0,149)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Mozilla Firefox to version 149 or newer.
Update Mozilla Thunderbird to version 149 or newer.
Verify that the update has been applied and restart the applications.
If an update cannot be applied immediately, avoid opening suspicious media files and monitor for application instability.
Stay informed by reviewing Mozilla security advisories for further updates.

Generated by OpenCVE AI on April 13, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2014865
https://nvd.nist.gov/vuln/detail/CVE-2026-4724
https://www.cve.org/CVERecord?id=CVE-2026-4724
https://www.mozilla.org/security/advisories/mfsa2026-20/
https://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4724
https://www.mozilla.org/security/advisories/mfsa2026-23/

History

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description	Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.	Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::::: cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla thunderbird

Wed, 25 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-758
Metrics	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`	ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Wed, 25 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-475
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4724 https://www.cve.org/CVERecord?id=CVE-2026-4724 https://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4724
Metrics	threat_severity `None`	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}` threat_severity `Moderate`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Vendors & Products		Mozilla Mozilla firefox

Tue, 24 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149.	Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References		https://www.mozilla.org/security/advisories/mfsa2026-23/

Tue, 24 Mar 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149.
Title		Undefined behavior in the Audio/Video component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2014865 https://www.mozilla.org/security/advisories/mfsa2026-20/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-03-24T12:30:31.717Z

Updated: 2026-04-13T13:50:29.818Z

Reserved: 2026-03-23T23:22:47.158Z

Link: CVE-2026-4724

Vulnrichment

Updated: 2026-03-25T19:45:42.670Z

NVD

Status : Modified

Published: 2026-03-24T13:16:08.280

Modified: 2026-04-13T15:17:44.733

Link: CVE-2026-4724

Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:31Z

Links: CVE-2026-4724 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-14T16:43:08Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object