V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsDocs
Back to catalog
CVE-2026-4721
ANC
Critical

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these …

CVSS
9.8
Critical
EPSS
0.00
p34
Published
2026-01-01
Updated
2026-01-01
Description

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Tags · CWE
Pre-auth
CWE-120
CAPEC-8
CAPEC-9
CAPEC-10
CAPEC-14
CAPEC-24
CAPEC-42
CAPEC-44
CAPEC-45
CAPEC-46
CAPEC-47
CAPEC-67
CAPEC-92
CAPEC-100
Affected products
Firefox < 115.34.0Firefox < 149.0Firefox 128.0–140.9.0Thunderbird < 140.9.0Thunderbird < 149.0
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
2026-01-01
Published
2026-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.004 · p34
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected software
ProductVendorStatus
Tracked
Tracked
firefoxTracked
firefox-esrTracked
thunderbirdTracked
firefox*Tracked
thunderbird*Tracked
Source databases
ANC
DEB
CVE
Related vulnerabilities
BDU:2026-08457
External references
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2013762%2C2015291%2C2016591%2C2016661%2C2016664%2C2017303%2C2017894%2C2018090%2C2018196%2C2018379%2C2019112%2C2022090%2C2022243%2C2022351%2C2022478%2C2022676@https://www.mozilla.org/security/advisories/mfsa2026-20/@https://www.mozilla.org/security/advisories/mfsa2026-21/@https://www.mozilla.org/security/advisories/mfsa2026-22/@https://www.mozilla.org/security/advisories/mfsa2026-23/@https://www.mozilla.org/security/advisories/mfsa2026-24/https://www.mozilla.org/en-US/security/advisories/mfsa2026-21/@https://www.mozilla.org/en-US/security/advisories/mfsa2026-22/@https://www.mozilla.org/en-US/security/advisories/mfsa2026-20/@https://bugzilla.mozilla.org/show_bug.cgi?id=2018102@https://bugzilla.mozilla.org/show_bug.cgi?id=2016329@https://bugzilla.mozilla.org/show_bug.cgi?id=2015267@https://bugzilla.mozilla.org/show_bug.cgi?id=2015091@https://bugzilla.mozilla.org/show_bug.cgi?id=2021863@https://bugzilla.mozilla.org/show_bug.cgi?id=2020906@https://bugzilla.mozilla.org/show_bug.cgi?id=2020190@https://bugzilla.mozilla.org/show_bug.cgi?id=2018430@https://bugzilla.mozilla.org/show_bug.cgi?id=2017643@https://bugzilla.mozilla.org/show_bug.cgi?id=2016373@https://bugzilla.mozilla.org/show_bug.cgi?id=2017512@https://bugzilla.mozilla.org/show_bug.cgi?id=2016375@https://bugzilla.mozilla.org/show_bug.cgi?id=2016374@https://bugzilla.mozilla.org/show_bug.cgi?id=2016368@https://bugzilla.mozilla.org/show_bug.cgi?id=2016351@https://bugzilla.mozilla.org/show_bug.cgi?id=2016349@https://bugzilla.mozilla.org/show_bug.cgi?id=2011129@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2013762@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2015291@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2016591@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2016661@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2016664@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017303@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2017894@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2018090@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2018196@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2018379@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2019112@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022090@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022243@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022351@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022478@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022676@https://bugzilla.mozilla.org/show_bug.cgi?id=2020030@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2004652@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2019372@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021922@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022567@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022733@https://bugzilla.mozilla.org/show_bug.cgi?id=2017666@https://bugzilla.mozilla.org/show_bug.cgi?id=2016367@https://bugzilla.mozilla.org/show_bug.cgi?id=2014864@https://bugzilla.mozilla.org/show_bug.cgi?id=2021695@https://bugzilla.mozilla.org/show_bug.cgi?id=2018592@https://bugzilla.mozilla.org/show_bug.cgi?id=2018405@https://bugzilla.mozilla.org/show_bug.cgi?id=2018126@https://bugzilla.mozilla.org/show_bug.cgi?id=2018113@https://bugzilla.mozilla.org/show_bug.cgi?id=2017002@https://bugzilla.mozilla.org/show_bug.cgi?id=2020422@https://bugzilla.mozilla.org/show_bug.cgi?id=2016370@https://bugzilla.mozilla.org/show_bug.cgi?id=2015268@https://bugzilla.mozilla.org/show_bug.cgi?id=2014873@https://bugzilla.mozilla.org/show_bug.cgi?id=2014868@https://bugzilla.mozilla.org/show_bug.cgi?id=2013560@https://bugzilla.mozilla.org/show_bug.cgi?id=2009303@https://bugzilla.mozilla.org/show_bug.cgi?id=2003766@https://bugzilla.mozilla.org/show_bug.cgi?id=2013179@https://bugzilla.mozilla.org/show_bug.cgi?id=2013573@https://bugzilla.mozilla.org/show_bug.cgi?id=2010097@https://bugzilla.mozilla.org/buglist.cgi?bug_id=1944033@https://bugzilla.mozilla.org/buglist.cgi?bug_id=1997282@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2009213@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2011412@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021925@https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022034@https://bugzilla.mozilla.org/show_bug.cgi?id=2008112@https://bugzilla.mozilla.org/show_bug.cgi?id=1955311@https://bugzilla.mozilla.org/show_bug.cgi?id=2017108@https://bugzilla.mozilla.org/show_bug.cgi?id=2014865