PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4688 Mozilla CVE debrief

CVE-2026-4688 is a critical vulnerability in Mozilla Firefox, with a CVSS score of 10. The vulnerability allows for a sandbox escape due to a use-after-free issue in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The CVE record and NVD detail provide further information on this vulnerability.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-24
Original CVE updated
2026-06-30
Advisory published
2026-03-24
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Mozilla Firefox, Firefox ESR, Thunderbird, or Thunderbird ESR should prioritize patching this vulnerability to prevent potential sandbox escapes. This vulnerability has a critical CVSS score, indicating a high severity. Users of affected products should update to the latest versions as soon as possible.

Technical summary

The CVE-2026-4688 vulnerability is caused by a use-after-free issue in the Disability Access APIs component of Mozilla Firefox. This allows for a sandbox escape, potentially enabling attackers to execute arbitrary code. The vulnerability has been fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a high severity. The CWE for this vulnerability is CWE-416.

Defensive priority

This vulnerability has a critical CVSS score and allows for a sandbox escape, making it a high-priority vulnerability to patch. Organizations should prioritize patching this vulnerability to prevent potential attacks.

Recommended defensive actions

  • Patch Firefox to version 149 or later
  • Patch Firefox ESR to version 140.9 or later
  • Patch Thunderbird to version 149 or later
  • Patch Thunderbird ESR to version 140.9 or later
  • Review and update affected products to ensure they are running the latest versions

Evidence notes

The CVE record and NVD detail provide further information on this vulnerability. The vulnerability was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The CVSS score and vector provide a measure of the severity of this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.