Description
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sandbox escape
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free bug in the Graphics: Canvas2D component that allows the sandbox protecting web content to be bypassed. By causing the browser to free a canvas object out of sequence, a malicious page can trigger arbitrary code execution outside the sandbox, potentially compromising the host system. The weakness is classified as CWE‑416 and CWE‑825.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected versions prior to 149. The issue was patched in Firefox 149 and Thunderbird 149, so any installation older than those releases must be updated.

Risk and Exploitability

The CVSS score of 9.3 marks it as critical, though the EPSS score is below 1%, indicating a low predicted exploitation probability at this time. It is not listed in the CISA KEV catalog. Attackers would need to lure a user to a malicious web page that uses Canvas2D; the vulnerability would be exercised when the page’s script causes a use‑after‑free condition. Because of the high impact and the fact that a patch exists, the risk is significant until the remedy is applied.

Generated by OpenCVE AI on April 13, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 149 or later.
  • Upgrade Mozilla Thunderbird to version 149 or later.
  • Confirm that the installed versions have the patch applied.
  • Monitor security advisories for further guidance.

Generated by OpenCVE AI on April 13, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Thunderbird < 149. Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149. Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Metrics cvssV3_1

{'score': 10.0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149.
Title Sandbox escape due to use-after-free in the Graphics: Canvas2D component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:50:50.855Z

Reserved: 2026-03-23T23:22:49.207Z

Link: CVE-2026-4725

cve-icon Vulnrichment

Updated: 2026-03-25T13:15:20.506Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.377

Modified: 2026-04-13T15:17:44.903

Link: CVE-2026-4725

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:36Z

Links: CVE-2026-4725 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:58Z

Weaknesses