PatchSiren cyber security CVE debrief
CVE-2026-4697 Mozilla CVE debrief
CVE-2026-4697 is a HIGH severity vulnerability in Mozilla Firefox, Thunderbird, and Firefox ESR. It relates to incorrect boundary conditions in the Audio/Video: Web Codecs component. This issue was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The CVSS score for this vulnerability is 7.5.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-24
- Advisory updated
- 2026-06-30
Who should care
Organizations and individuals using Mozilla Firefox, Thunderbird, or Firefox ESR should prioritize patching this vulnerability. Given its HIGH severity and potential for exploitation, defenders should ensure that all users have updated to the patched versions. This vulnerability could be particularly concerning for organizations with high-risk exposure to web-based attacks.
Technical summary
The vulnerability, CVE-2026-4697, is caused by incorrect boundary conditions in the Audio/Video: Web Codecs component of Mozilla Firefox, Thunderbird, and Firefox ESR. This issue allows for potential crashes and potentially exploitable situations. The Common Vulnerabilities and Exposures (CVE) score for this issue is 7.5, indicating a HIGH severity level. The vulnerability was addressed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
Defenders should prioritize patching CVE-2026-4697 due to its HIGH severity and potential for exploitation. Ensure all instances of Mozilla Firefox, Thunderbird, and Firefox ESR are updated to the patched versions: Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Recommended defensive actions
- Update Mozilla Firefox to version 149 or later.
- Update Mozilla Firefox ESR to version 140.9 or later.
- Update Mozilla Thunderbird to version 149 or later.
- Update Mozilla Thunderbird to version 140.9 or later.
- Verify that all users have updated to the patched versions.
Evidence notes
The CVE-2026-4697 vulnerability details were obtained from the official CVE record and the National Vulnerability Database (NVD). The CVE was publicly disclosed on March 24, 2026, and last modified on June 30, 2026. The vulnerability affects multiple Mozilla products, including Firefox, Thunderbird, and Firefox ESR. The CVSS score for this vulnerability is 7.5, indicating a HIGH severity level.
Official resources
-
CVE-2026-4697 CVE record
CVE.org
-
CVE-2026-4697 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
- Source reference
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.