Mozilla Firefox Open source web browser
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Mozilla Firefox.
Recent Mozilla Firefox Security Advisories
| Advisory | Title | Published |
|---|---|---|
| mfsa2026-20 | Security Vulnerabilities fixed in Firefox 149 mfsa2026-20 | March 24, 2026 |
| mfsa2026-22 | Security Vulnerabilities fixed in Firefox ESR 140.9 mfsa2026-22 | March 24, 2026 |
| mfsa2026-21 | Security Vulnerabilities fixed in Firefox ESR 115.34 mfsa2026-21 | March 24, 2026 |
| mfsa2026-19 | Security Vulnerabilities fixed in Firefox 148.0.2 mfsa2026-19 | March 10, 2026 |
| mfsa2026-15 | Security Vulnerabilities fixed in Firefox ESR 140.8 mfsa2026-15 | February 24, 2026 |
| mfsa2026-14 | Security Vulnerabilities fixed in Firefox ESR 115.33 mfsa2026-14 | February 24, 2026 |
| mfsa2026-13 | Security Vulnerabilities fixed in Firefox 148 mfsa2026-13 | February 24, 2026 |
| mfsa2026-12 | Security Vulnerabilities fixed in Firefox for iOS 147.4 mfsa2026-12 | February 20, 2026 |
| mfsa2026-09 | Security Vulnerabilities fixed in Firefox for iOS 147.2.1 mfsa2026-09 | February 9, 2026 |
| mfsa2026-06 | Security Vulnerabilities fixed in Firefox 147.0.2 mfsa2026-06 | January 27, 2026 |
Known Exploited Mozilla Firefox Vulnerabilities
The following Mozilla Firefox vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process. CVE-2024-9680 Exploit Probability: 35.5% |
October 15, 2024 |
| Mozilla Firefox Security Feature Bypass Vulnerability |
Moxilla Firefox allows remote attackers to bypass the Same Origin Policy to read arbitrary files or gain privileges. CVE-2015-4495 Exploit Probability: 71.6% |
May 25, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in WebGPU IPC Framework which can be exploited to perform arbitrary code execution. CVE-2022-26486 Exploit Probability: 5.5% |
March 7, 2022 |
| Mozilla Firefox Use-After-Free Vulnerability |
Mozilla Firefox contains a use-after-free vulnerability in XSLT parameter processing which can be exploited to perform arbitrary code execution. CVE-2022-26485 Exploit Probability: 7.2% |
March 7, 2022 |
| Mozilla Firefox Information Disclosure Vulnerability |
Mozilla Firefox does not properly initialize data structures for the nsDOMSVGZoomEvent::mPreviousScale and nsDOMSVGZoomEvent::mNewScale functions, which allows remote attackers to obtain sensitive information from process memory via a crafted web site. CVE-2013-1675 Exploit Probability: 4.7% |
March 3, 2022 |
2 known exploited Mozilla Firefox vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
EOL Dates
Ensure that you are using a supported version of Mozilla Firefox. Here are some end of life, and end of support dates for Mozilla Firefox.
| Release | EOL Date | Status |
|---|---|---|
| 149 | - |
Active
|
| 148 | March 24, 2026 |
EOL
Mozilla Firefox 148 became EOL in 2026. |
| 147 | February 24, 2026 |
EOL
Mozilla Firefox 147 became EOL in 2026. |
| 146 | January 13, 2026 |
EOL
Mozilla Firefox 146 became EOL in 2026. |
| 145 | December 9, 2025 |
EOL
Mozilla Firefox 145 became EOL in 2025. |
| 144 | November 11, 2025 |
EOL
Mozilla Firefox 144 became EOL in 2025. |
| 143 | October 14, 2025 |
EOL
Mozilla Firefox 143 became EOL in 2025. |
| 142 | September 16, 2025 |
EOL
Mozilla Firefox 142 became EOL in 2025. |
| 141 | August 19, 2025 |
EOL
Mozilla Firefox 141 became EOL in 2025. |
| 140 | September 16, 2026 |
EOL This Year
Mozilla Firefox 140 will become EOL this year, in September 2026. |
| 139 | June 24, 2025 |
EOL
Mozilla Firefox 139 became EOL in 2025. |
| 138 | May 27, 2025 |
EOL
Mozilla Firefox 138 became EOL in 2025. |
| 137 | April 29, 2025 |
EOL
Mozilla Firefox 137 became EOL in 2025. |
| 136 | April 1, 2025 |
EOL
Mozilla Firefox 136 became EOL in 2025. |
| 135 | March 4, 2025 |
EOL
Mozilla Firefox 135 became EOL in 2025. |
| 134 | February 4, 2025 |
EOL
Mozilla Firefox 134 became EOL in 2025. |
| 133 | January 7, 2025 |
EOL
Mozilla Firefox 133 became EOL in 2025. |
| 132 | November 26, 2024 |
EOL
Mozilla Firefox 132 became EOL in 2024. |
| 131 | October 29, 2024 |
EOL
Mozilla Firefox 131 became EOL in 2024. |
| 130 | October 1, 2024 |
EOL
Mozilla Firefox 130 became EOL in 2024. |
By the Year
In 2026 there have been 125 vulnerabilities in Mozilla Firefox with an average score of 8.7 out of ten. Last year, in 2025 Firefox had 187 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Firefox in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.02.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 125 | 8.69 |
| 2025 | 187 | 7.67 |
| 2024 | 190 | 7.18 |
| 2023 | 180 | 7.38 |
| 2022 | 159 | 7.44 |
| 2021 | 123 | 7.13 |
| 2020 | 148 | 7.27 |
| 2019 | 121 | 7.44 |
| 2018 | 312 | 7.82 |
It may take a day or so for new Firefox vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Mozilla Firefox Security Vulnerabilities
Memory safety bug in Firefox <149.0.2 & Thunderbird 149.0.1
CVE-2026-5735
- April 07, 2026
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2.
Memory corruption in Firefox <149.0.2 & ESR <140.9.1
CVE-2026-5734
- April 07, 2026
Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2 and Firefox ESR < 140.9.1.
Firefox <149.0.2 WebGPU Boundary Conditions CVE-2026-5733
CVE-2026-5733
- April 07, 2026
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 149.0.2.
Integer Overflow in Firefox Graphics: Text Component (149.0.2 / ESR 140.9.1)
CVE-2026-5732
- April 07, 2026
Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability affects Firefox < 149.0.2 and Firefox ESR < 140.9.1.
Mem safety bug in Firefox <149.0.2 (ESR 115/140)
CVE-2026-5731
- April 07, 2026
Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2, Firefox ESR < 115.34.1, and Firefox ESR < 140.9.1.
Memory safety bugs in Firefox <149 (CVE-2026-4729)
CVE-2026-4729
9.8 - Critical
- March 24, 2026
Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Classic Buffer Overflow
Memory Safety Bug in Firefox (ESR 115.33/140.8 & 148) prior to v149
CVE-2026-4721
9.8 - Critical
- March 24, 2026
Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Classic Buffer Overflow
Mozilla Firefox <149 & ESR <140.9 Memory Corruption (Thunderbird)
CVE-2026-4720
9.8 - Critical
- March 24, 2026
Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Classic Buffer Overflow
Firefox Graphics:Text Boundary Condition Flaw (pre-149 / ESR<140.9)
CVE-2026-4719
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics: Text component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Buffer Overflow
Firefox Privacy Anti-Tracking Spoofing Vulnerability
CVE-2026-4728
6.5 - Medium
- March 24, 2026
Spoofing issue in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Authentication Bypass by Spoofing
Undefined Behavior in WebRTC Signaling of Firefox <149
CVE-2026-4718
8.1 - High
- March 24, 2026
Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Firefox <149 NSS Libraries DoS (Mozilla)
CVE-2026-4727
7.5 - High
- March 24, 2026
Denial-of-service in the Libraries component in NSS. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Resource Exhaustion
Denial-of-Service in Firefox XML Component (CVE-2026-4726)
CVE-2026-4726
7.5 - High
- March 24, 2026
Denial-of-service in the XML component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Resource Exhaustion
Privilege Escalation in Netmonitor of Firefox <149/ESR 140.9
CVE-2026-4717
9.8 - Critical
- March 24, 2026
Privilege escalation in the Netmonitor component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Firefox <149/ESR <140.9: JS Engine uninitialized memory
CVE-2026-4716
9.1 - Critical
- March 24, 2026
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Use of Uninitialized Resource
Uninitialized Memory in Firefox Canvas2D component <149/ESR<140.9
CVE-2026-4715
9.1 - Critical
- March 24, 2026
Uninitialized memory in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Use of Uninitialized Resource
Firefox Audio/Video Boundary Condition Flaw (v <149, ESR <140.9)
CVE-2026-4714
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
FF <149 Graphics Boundary Condition Flaw
CVE-2026-4713
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox Canvas2D Sandbox Escape due to Use-After-Free
CVE-2026-4725
9.3 - Critical
- March 24, 2026
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Dangling pointer
Firefox <149 Info Disclosure via Widget Cocoa Comp (CVE-2026-4712)
CVE-2026-4712
7.5 - High
- March 24, 2026
Information disclosure in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Information Disclosure
Firefox <149 Use-after-free in Cocoa Widget Component
CVE-2026-4711
9.8 - Critical
- March 24, 2026
Use-after-free in the Widget: Cocoa component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Dangling pointer
Firefox AV Boundary Condition Flaw v<149/ESR<140.9
CVE-2026-4710
9.8 - Critical
- March 24, 2026
Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Buffer Overflow
Mozilla Firefox <149 Audio/Video: GMP Boundary Condition Vulnerability
CVE-2026-4709
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Audio/Video: GMP component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox Graphics Boundary Flaw (149, ESR<140.9)
CVE-2026-4708
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox <149 Canvas2D Boundary Condition Flaw (CVE20264707)
CVE-2026-4707
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox <149 & ESR <115.34,140.9 Canvas2D Boundary Condition Vulnerability
CVE-2026-4706
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
CVE-2026-4705: WebRTC Signaling UB Firefox <149/ESR <140.9
CVE-2026-4705
9.8 - Critical
- March 24, 2026
Undefined behavior in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Undefined Behavior in Firefox Audio/Video Component (CVE-2026-4724)
CVE-2026-4724
9.1 - Critical
- March 24, 2026
Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Firefox <149 Denial-of-Service via WebRTC Signaling
CVE-2026-4704
7.5 - High
- March 24, 2026
Denial-of-service in the WebRTC: Signaling component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Resource Exhaustion
Use-After-Free in Firefox JS Engine (<v149)
CVE-2026-4723
9.8 - Critical
- March 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Dangling pointer
Mozilla Firefox <149 JIT Miscompilation in JS Engine (CVE-2026-4702)
CVE-2026-4702
9.8 - Critical
- March 24, 2026
JIT miscompilation in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Object Type Confusion
Privilege Escalation in Firefox IPC Component
CVE-2026-4722
8.8 - High
- March 24, 2026
Privilege escalation in the IPC component. This vulnerability affects Firefox < 149 and Thunderbird < 149.
Use-after-free in Firefox JS Engine before 149 & ESR <140.9
CVE-2026-4701
9.8 - Critical
- March 24, 2026
Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Dangling pointer
Firefox <149 Mitigation Bypass in Networking:HTTP Component
CVE-2026-4700
9.8 - Critical
- March 24, 2026
Mitigation bypass in the Networking: HTTP component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Authentication Bypass Using an Alternate Path or Channel
Firefox <149 Boundary Error in Layout Text & Fonts
CVE-2026-4699
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox <149 JIT-Miscompilation SpiderMonkey
CVE-2026-4698
9.8 - Critical
- March 24, 2026
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Object Type Confusion
Firefox <149 Audio/Video Web Codecs boundary flaw
CVE-2026-4697
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
UA-Free in Firefox Layout:Text & Fonts v<149 (ESR<115.34)
CVE-2026-4696
9.8 - Critical
- March 24, 2026
Use-after-free in the Layout: Text and Fonts component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Dangling pointer
Integer Overflow Firefox Graphics <=149 (ESR<115.34)
CVE-2026-4694
7.5 - High
- March 24, 2026
Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox <149: Incorrect Boundary Conditions in Audio/Video Web Codecs
CVE-2026-4695
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox <149/ESR<140.9 AV Playback Boundary Check Failure
CVE-2026-4693
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
CVE-2026-4692: Sandbox Escape via Responsive Design Mode in Firefox <149
CVE-2026-4692
9.6 - Critical
- March 24, 2026
Sandbox escape in the Responsive Design Mode component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Firefox CSS Parsing Use-After-Free (before 149, ESR <115.34/140.9)
CVE-2026-4691
9.8 - Critical
- March 24, 2026
Use-after-free in the CSS Parsing and Computation component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Dangling pointer
Firefox <149 XPCOM Sandbox Escape (CVE-2026-4690)
CVE-2026-4690
9.6 - Critical
- March 24, 2026
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Integer Overflow or Wraparound
Firefox <149 Sandbox Escape: XPCOM Integer Overflow
CVE-2026-4689
10 - Critical
- March 24, 2026
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Classic Buffer Overflow
Firefox <149/ESR<140.9: Disability Access API UAF Sandbox Escape
CVE-2026-4688
9.6 - Critical
- March 24, 2026
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Dangling pointer
Firefox <149 Sandbox Escape via Telemetry Boundary Conditions
CVE-2026-4687
9.6 - Critical
- March 24, 2026
Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Classic Buffer Overflow
Firefox Canvas2D Incorrect Boundary Conditions ( Firefox 149 / ESR 140.9)
CVE-2026-4686
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
Firefox Canvas2D boundary flaw before v149/ESR115.34/ESR140.9
CVE-2026-4685
7.5 - High
- March 24, 2026
Incorrect boundary conditions in the Graphics: Canvas2D component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Improper Check for Unusual or Exceptional Conditions
WebRender Use-After-Free Race in Firefox <149 (ESR <115.34/140.9)
CVE-2026-4684
7.5 - High
- March 24, 2026
Race condition, use-after-free in the Graphics: WebRender component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
Dangling pointer
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Mozilla Firefox or by Mozilla? Click the Watch button to subscribe.
