PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2772 Mozilla CVE debrief

CVE-2026-2772 is a critical use-after-free vulnerability in the Audio/Video: Playback component of Firefox. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. The vulnerability has a CVSS score of 9.8 and is considered critical. The CVE record was published on February 24, 2026, and last modified on June 30, 2026.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-06-30
Advisory published
2026-02-24
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Firefox, Firefox ESR, Thunderbird, or other affected products should prioritize patching this vulnerability. The vulnerability's critical severity and high CVSS score indicate a significant risk of exploitation. Users of Red Hat products may also be affected, as indicated by multiple Red Hat errata references.

Technical summary

The CVE-2026-2772 vulnerability is a use-after-free issue in the Audio/Video: Playback component of Firefox. This type of vulnerability occurs when a program attempts to access memory after it has been freed or deleted. An attacker could potentially exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition. The vulnerability affects multiple products, including Firefox, Firefox ESR, and Thunderbird. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high impact on confidentiality, integrity, and availability.

Defensive priority

Patching this vulnerability is a high priority due to its critical severity and high CVSS score. Organizations should prioritize applying the patches for Firefox, Firefox ESR, Thunderbird, and other affected products as soon as possible.

Recommended defensive actions

  • Apply patches for Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
  • Ensure all users and systems are updated to the patched versions.
  • Review and update Red Hat systems according to the provided errata references.
  • Monitor for any signs of exploitation or suspicious activity.
  • Consider implementing additional security measures, such as enhanced monitoring and incident response planning.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Multiple vendor advisories and issue tracking references are available, indicating a comprehensive response to the vulnerability. Red Hat has also provided errata references for affected systems.

Official resources

This article is AI-assisted and based on the supplied source corpus.