PatchSiren cyber security CVE debrief
CVE-2026-2796 Mozilla CVE debrief
CVE-2026-2796 is a critical vulnerability in the JavaScript: WebAssembly component of Mozilla Firefox and Thunderbird. The vulnerability, which has a CVSS score of 9.8, was fixed in Firefox 148 and Thunderbird 148. This vulnerability involves a Just-In-Time (JIT) miscompilation issue. The CVE was published on February 24, 2026, and last modified on June 30, 2026. The vulnerability affects Firefox versions prior to 148 and Thunderbird versions prior to 148.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-06-30
Who should care
This vulnerability affects users of Mozilla Firefox and Thunderbird. Specifically, any user with a version of Firefox earlier than 148 or Thunderbird earlier than 148 is vulnerable. Given the critical severity and high CVSS score, users should update to the latest versions as soon as possible to mitigate potential risks.
Technical summary
CVE-2026-2796 is a critical vulnerability in the JavaScript: WebAssembly component. It results from a JIT miscompilation issue, which can lead to high impacts on confidentiality, integrity, and availability. The vulnerability has been assigned a CVSS score of 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and no privileges required. The weakness associated with this vulnerability is CWE-843.
Defensive priority
High. This vulnerability has a critical CVSS score of 9.8 and affects widely used software (Firefox and Thunderbird), making it a high priority for defenders to address.
Recommended defensive actions
- Update Firefox to version 148 or later.
- Update Thunderbird to version 148 or later.
- Ensure all users of Firefox and Thunderbird within the organization are updated to the secure versions.
- Monitor for any unusual activity that could be related to exploitation of this vulnerability.
- Consider implementing additional security measures for high-risk users or environments.
Evidence notes
The CVE-2026-2796 vulnerability was published on February 24, 2026, and last modified on June 30, 2026. It was fixed in Firefox 148 and Thunderbird 148. The vulnerability is a JIT miscompilation issue in the JavaScript: WebAssembly component. The CVSS score is 9.8, indicating critical severity. The CVE details and references can be found on the official CVE website and NVD database.
Official resources
-
CVE-2026-2796 CVE record
CVE.org
-
CVE-2026-2796 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.