CVE-2026-4721 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 25, 2026
Mozilla Firefox & Thunderbird - Remote Code Execution
Published: March 24, 2026Updated: March 25, 2026Remote Exploitable
Overview
Mozilla Firefox ESR < 115.34, ESR < 140.9, Firefox < 149, and Thunderbird ESR < 140.9 contain memory safety bugs caused by memory corruption, letting attackers potentially execute arbitrary code remotely, exploit requires no special privileges.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can exploit memory corruption to execute arbitrary code, potentially leading to full system compromise.
Mitigation
Update to Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, and Thunderbird ESR 140.9 or later.
References
- https://www.mozilla.org/security/advisories/mfsa2026-23/
- https://www.mozilla.org/security/advisories/mfsa2026-24/
- https://bugzilla.mozilla.org/buglist.cgi?bug_id=2013762%2C2015291%2C2016591%2C2016661%2C2016664%2C2017303%2C2017894%2C2018090%2C2018196%2C2018379%2C2019112%2C2022090%2C2022243%2C2022351%2C2022478%2C2022676
- https://www.mozilla.org/security/advisories/mfsa2026-20/
- https://www.mozilla.org/security/advisories/mfsa2026-21/
- https://www.mozilla.org/security/advisories/mfsa2026-22/
Related Resources
Details
- CVE ID
- CVE-2026-4721
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- undefined
- Status
- unconfirmed
CWE
- CWE-120
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H