Description
Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Potential compromise of system integrity
Action: Immediate Patch
AI Analysis

Impact

The vulnerability stems from undefined behavior that occurs within the audio and video handling component in Mozilla products. The high CVSS score of 9.1 indicates that an attacker could potentially execute arbitrary code or otherwise compromise system integrity by supplying malicious media content to a vulnerable instance.

Affected Systems

Mozilla products affected are Firefox and Thunderbird versions earlier than 149. All releases 149 and later are not impacted.

Risk and Exploitability

The probability of exploitation is reported to be very low (less than 1%) and the issue has not been listed in the CISA Known Exploited Vulnerabilities catalog. However, given the severity rating, the risk to environments that cannot promptly upgrade remains high. The likely attack path involves an attacker delivering specially crafted audio or video files that trigger the undefined behavior during processing.

Generated by OpenCVE AI on March 25, 2026 at 23:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 149 or later
  • Update Mozilla Thunderbird to version 149 or later
  • Ensure all extensions and plug‑ins are compatible with the updated versions
  • Continuously monitor Mozilla security advisories for further updates

Generated by OpenCVE AI on March 25, 2026 at 23:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-758
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-475
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149. Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149.
Title Undefined behavior in the Audio/Video component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:29.818Z

Reserved: 2026-03-23T23:22:47.158Z

Link: CVE-2026-4724

cve-icon Vulnrichment

Updated: 2026-03-25T19:45:42.670Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.280

Modified: 2026-04-13T15:17:44.733

Link: CVE-2026-4724

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:31Z

Links: CVE-2026-4724 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-26T12:20:05Z

Weaknesses