PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-2797 Mozilla CVE debrief

CVE-2026-2797 is a critical use-after-free vulnerability in the JavaScript: GC component of Firefox and Thunderbird. The vulnerability was fixed in Firefox 148 and Thunderbird 148. This vulnerability has a CVSS score of 9.8 and a severity of CRITICAL. The CVE was published on 2026-02-24T14:16:28.200Z and last modified on 2026-06-30T03:18:21.253Z. The vulnerability affects Firefox and Thunderbird versions prior to 148.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-24
Original CVE updated
2026-06-30
Advisory published
2026-02-24
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Firefox and Thunderbird should prioritize patching this vulnerability, as it can be exploited remotely without authentication. The vulnerability's high CVSS score and critical severity indicate a significant risk to affected systems. Users of Firefox and Thunderbird should ensure they are running version 148 or later to mitigate this vulnerability.

Technical summary

CVE-2026-2797 is a use-after-free vulnerability in the JavaScript: GC component of Firefox and Thunderbird. This type of vulnerability occurs when a program attempts to access memory that has already been freed or deleted. An attacker could potentially exploit this vulnerability to execute arbitrary code on an affected system. The vulnerability is addressed in Firefox 148 and Thunderbird 148. The Common Vulnerabilities and Exposures (CVE) score for this vulnerability is 9.8, indicating a high severity. The vulnerability is tracked under CWE-416.

Defensive priority

High priority should be given to patching CVE-2026-2797, as it is a critical vulnerability with a high CVSS score. Organizations should ensure that all instances of Firefox and Thunderbird are updated to version 148 or later as soon as possible.

Recommended defensive actions

  • Update Firefox to version 148 or later.
  • Update Thunderbird to version 148 or later.
  • Verify that all instances of Firefox and Thunderbird are patched.
  • Monitor for any suspicious activity related to this vulnerability.
  • Consider implementing additional security measures, such as restricting access to sensitive data and systems.

Evidence notes

The CVE-2026-2797 vulnerability was identified in the JavaScript: GC component of Firefox and Thunderbird. The vulnerability has a CVSS score of 9.8 and is considered CRITICAL. The CVE was published on 2026-02-24T14:16:28.200Z and last modified on 2026-06-30T03:18:21.253Z. The vulnerability affects Firefox and Thunderbird versions prior to 148. The fix for this vulnerability is included in Firefox 148 and Thunderbird 148.

Official resources

This article is AI-assisted and based on the supplied source corpus.