Description
Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Denial of service vulnerability exists in the Libraries component of the Network Security Services (NSS) library used by Mozilla Firefox and Thunderbird. The flaw falls under uncontrolled resource consumption (CWE‑400) and uncontrolled allocation beyond limits (CWE‑770). An attacker could trigger the vulnerable library to exhaust system resources or crash the application, leading to denial of service for legitimate users.

Affected Systems

The vulnerability affects all released versions of Mozilla Firefox and Thunderbird prior to version 149. Users running older builds are exposed, while Mozilla has addressed the issue in Firefox 149 and Thunderbird 149. Vendors and users should verify the installed version; only releases 149 and newer provide the fix.

Risk and Exploitability

With a CVSS score of 7.5, the severity is high, yet the EPSS score of less than 1% indicates a low probability of exploitation at present, and the vulnerability is not listed in CISA’s KEV catalog. The exact attack vector is not documented in the advisory; based on the description, it is inferred that an attacker would need to deliver data that exercises the NSS Libraries component, though whether this occurs remotely or locally is unclear. The primary consequence remains a denial of service to the impacted application.

Generated by OpenCVE AI on April 13, 2026 at 16:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox and Thunderbird to version 149 or later.
  • Verify that the updated versions are successfully installed.
  • Monitor application stability after the upgrade.

Generated by OpenCVE AI on April 13, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Thunderbird < 149. Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Wed, 25 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 25 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

threat_severity

Low

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 24 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149. Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Thunderbird < 149.
References

Tue, 24 Mar 2026 12:45:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149.
Title Denial-of-service in the Libraries component in NSS
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:08.072Z

Reserved: 2026-03-23T23:22:53.470Z

Link: CVE-2026-4727

cve-icon Vulnrichment

Updated: 2026-03-25T17:46:47.584Z

cve-icon NVD

Status : Modified

Published: 2026-03-24T13:16:08.570

Modified: 2026-04-13T15:17:45.243

Link: CVE-2026-4727

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-24T12:30:41Z

Links: CVE-2026-4727 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:50Z

Weaknesses