PatchSiren cyber security CVE debrief
CVE-2026-2757 Mozilla CVE debrief
CVE-2026-2757 is a critical vulnerability in the WebRTC: Audio/Video component of Firefox. The vulnerability is caused by incorrect boundary conditions, which can lead to severe consequences. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-06-30
Who should care
This vulnerability affects users of Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR. Specifically, users of Firefox versions prior to 148, Firefox ESR versions prior to 115.33 and 140.8, Thunderbird versions prior to 148, and Thunderbird ESR versions prior to 140.8 are vulnerable. Users of Red Hat products may also be affected, as indicated by multiple Red Hat errata references.
Technical summary
The vulnerability is caused by incorrect boundary conditions in the WebRTC: Audio/Video component of Firefox. This can lead to severe consequences, including arbitrary code execution. The vulnerability has been fixed in multiple Firefox and Thunderbird versions. The CVSS score for this vulnerability is 9.8, indicating a critical severity level. The vulnerability is tracked by CVE-2026-2757 and has been publicly disclosed.
Defensive priority
This vulnerability has a critical CVSS score of 9.8 and should be prioritized for immediate remediation. Affected users should update to the latest versions of Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR as soon as possible.
Recommended defensive actions
- Update Firefox to version 148 or later
- Update Firefox ESR to version 115.33 or 140.8 or later
- Update Thunderbird to version 148 or later
- Update Thunderbird ESR to version 140.8 or later
- Apply Red Hat errata RHSA-2026:3338, RHSA-2026:3339, RHSA-2026:3361, or other applicable errata
Evidence notes
The CVE-2026-2757 vulnerability was publicly disclosed on February 24, 2026, and has been modified on June 30, 2026. The vulnerability is tracked by multiple sources, including NVD and CVE.org. The CVSS score and vector were provided by the NVD. Multiple references, including issue tracking and vendor advisories, are available.
Official resources
-
CVE-2026-2757 CVE record
CVE.org
-
CVE-2026-2757 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Issue Tracking, Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.