PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2796 Mozilla CVE debrief

CVE-2026-2796 is a critical vulnerability in the JavaScript: WebAssembly component of Mozilla Firefox and Thunderbird. The vulnerability, which has a CVSS score of 9.8, was fixed in Firefox 148 and Thunderbird 148. This vulnerability involves a Just-In-Time (JIT) miscompilation issue. The CVE was published on February 24, 2026, and last modified on June 30, 2026. The vulnerability affects Firefox versions prior to 148 and Thunderbird versions prior to 148.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-06-30
Advisory published
2026-02-24
Advisory updated
2026-06-30

Who should care

This vulnerability affects users of Mozilla Firefox and Thunderbird. Specifically, any user with a version of Firefox earlier than 148 or Thunderbird earlier than 148 is vulnerable. Given the critical severity and high CVSS score, users should update to the latest versions as soon as possible to mitigate potential risks.

Technical summary

CVE-2026-2796 is a critical vulnerability in the JavaScript: WebAssembly component. It results from a JIT miscompilation issue, which can lead to high impacts on confidentiality, integrity, and availability. The vulnerability has been assigned a CVSS score of 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability can be exploited over the network with low attack complexity and no privileges required. The weakness associated with this vulnerability is CWE-843.

Defensive priority

High. This vulnerability has a critical CVSS score of 9.8 and affects widely used software (Firefox and Thunderbird), making it a high priority for defenders to address.

Recommended defensive actions

  • Update Firefox to version 148 or later.
  • Update Thunderbird to version 148 or later.
  • Ensure all users of Firefox and Thunderbird within the organization are updated to the secure versions.
  • Monitor for any unusual activity that could be related to exploitation of this vulnerability.
  • Consider implementing additional security measures for high-risk users or environments.

Evidence notes

The CVE-2026-2796 vulnerability was published on February 24, 2026, and last modified on June 30, 2026. It was fixed in Firefox 148 and Thunderbird 148. The vulnerability is a JIT miscompilation issue in the JavaScript: WebAssembly component. The CVSS score is 9.8, indicating critical severity. The CVE details and references can be found on the official CVE website and NVD database.

Official resources

This article is AI-assisted and based on the supplied source corpus.