PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2757 Mozilla CVE debrief

CVE-2026-2757 is a critical vulnerability in the WebRTC: Audio/Video component of Firefox. The vulnerability is caused by incorrect boundary conditions, which can lead to severe consequences. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-06-30
Advisory published
2026-02-24
Advisory updated
2026-06-30

Who should care

This vulnerability affects users of Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR. Specifically, users of Firefox versions prior to 148, Firefox ESR versions prior to 115.33 and 140.8, Thunderbird versions prior to 148, and Thunderbird ESR versions prior to 140.8 are vulnerable. Users of Red Hat products may also be affected, as indicated by multiple Red Hat errata references.

Technical summary

The vulnerability is caused by incorrect boundary conditions in the WebRTC: Audio/Video component of Firefox. This can lead to severe consequences, including arbitrary code execution. The vulnerability has been fixed in multiple Firefox and Thunderbird versions. The CVSS score for this vulnerability is 9.8, indicating a critical severity level. The vulnerability is tracked by CVE-2026-2757 and has been publicly disclosed.

Defensive priority

This vulnerability has a critical CVSS score of 9.8 and should be prioritized for immediate remediation. Affected users should update to the latest versions of Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR as soon as possible.

Recommended defensive actions

  • Update Firefox to version 148 or later
  • Update Firefox ESR to version 115.33 or 140.8 or later
  • Update Thunderbird to version 148 or later
  • Update Thunderbird ESR to version 140.8 or later
  • Apply Red Hat errata RHSA-2026:3338, RHSA-2026:3339, RHSA-2026:3361, or other applicable errata

Evidence notes

The CVE-2026-2757 vulnerability was publicly disclosed on February 24, 2026, and has been modified on June 30, 2026. The vulnerability is tracked by multiple sources, including NVD and CVE.org. The CVSS score and vector were provided by the NVD. Multiple references, including issue tracking and vendor advisories, are available.

Official resources

This article is AI-assisted and based on the supplied source corpus.