PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4689 Mozilla CVE debrief

CVE-2026-4689 is a critical vulnerability in Mozilla Firefox, allowing for sandbox escape due to incorrect boundary conditions and integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability has a CVSS score of 10 and a severity of CRITICAL. The CVE was published on March 24, 2026, and last modified on June 30, 2026.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 10
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-24
Original CVE updated
2026-06-30
Advisory published
2026-03-24
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Mozilla Firefox, Firefox ESR, Thunderbird, or other affected products should prioritize patching this vulnerability to prevent potential sandbox escapes and code execution. This vulnerability is particularly concerning due to its critical severity and potential for exploitation.

Technical summary

The vulnerability is caused by incorrect boundary conditions and integer overflow in the XPCOM component of Mozilla Firefox. This allows for a sandbox escape, potentially leading to code execution. The vulnerability affects multiple products, including Firefox, Firefox ESR, and Thunderbird. The fixes were released in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Defensive priority

This vulnerability should be prioritized for immediate patching due to its critical severity and potential for exploitation. Organizations should ensure that all affected systems and users are updated to the latest patched versions of Firefox, Firefox ESR, and Thunderbird.

Recommended defensive actions

  • Patch Firefox to version 149 or later
  • Patch Firefox ESR to version 115.34 or later
  • Patch Firefox ESR to version 140.9 or later
  • Patch Thunderbird to version 149 or later
  • Patch Thunderbird to version 140.9 or later

Evidence notes

The CVE-2026-4689 vulnerability was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The vulnerability has a CVSS score of 10 and is considered CRITICAL. Multiple sources, including Mozilla and Red Hat, have provided advisories and patches for this vulnerability.

Official resources

This article was generated with AI assistance based on the supplied source corpus.