CVE-2026-4729

Published Mar 24, 2026

Last updated 2 hours ago

CVSS critical 9.8

Overview

Description: Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Source: security@mozilla.org
NVD status: Analyzed
Products: firefox, thunderbird

Risk scores

CVSS 3.1

Type: Secondary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0: CWE-120

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B",
            "versionEndExcluding": "149.0",
            "vulnerable": true
          },
          {
            "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*",
            "matchCriteriaId": "40FE4697-89F1-46F6-8E28-41883647583B",
            "versionEndExcluding": "149.0",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References