PatchSiren cyber security CVE debrief
CVE-2026-4688 Mozilla CVE debrief
CVE-2026-4688 is a critical vulnerability in Mozilla Firefox, with a CVSS score of 10. The vulnerability allows for a sandbox escape due to a use-after-free issue in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The CVE record and NVD detail provide further information on this vulnerability.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- CRITICAL 10
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-24
- Advisory updated
- 2026-06-30
Who should care
Organizations and individuals using Mozilla Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR should prioritize patching this vulnerability to prevent potential sandbox escapes. This vulnerability has a critical CVSS score, indicating a high severity. Users of affected products should update to the latest versions as soon as possible.
Technical summary
The CVE-2026-4688 vulnerability is caused by a use-after-free issue in the Disability Access APIs component of Mozilla Firefox. This allows for a sandbox escape, potentially enabling attackers to execute arbitrary code. The vulnerability has been fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a high severity. The CWE for this vulnerability is CWE-416.
Defensive priority
This vulnerability has a critical CVSS score and allows for a sandbox escape, making it a high-priority vulnerability to patch. Organizations should prioritize patching this vulnerability to prevent potential attacks.
Recommended defensive actions
- Patch Firefox to version 149 or later
- Patch Firefox ESR to version 140.9 or later
- Patch Thunderbird to version 149 or later
- Patch Thunderbird ESR to version 140.9 or later
- Review and update affected products to ensure they are running the latest versions
Evidence notes
The CVE record and NVD detail provide further information on this vulnerability. The vulnerability was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The CVSS score and vector provide a measure of the severity of this vulnerability.
Official resources
-
CVE-2026-4688 CVE record
CVE.org
-
CVE-2026-4688 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.