PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4720 Mozilla CVE debrief

CVE-2026-4720 is a critical vulnerability affecting Mozilla Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. The vulnerability involves memory safety bugs that showed evidence of memory corruption. If exploited, these bugs could potentially allow attackers to run arbitrary code. The vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. This CVE has a CVSS score of 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, highlighting the high impact across confidentiality, integrity, and availability.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-24
Original CVE updated
2026-06-30
Advisory published
2026-03-24
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Mozilla Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, or Thunderbird 148 should prioritize patching this vulnerability. Given the critical severity and potential for arbitrary code execution, immediate attention is required to prevent potential exploitation. This includes updating to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9 as soon as possible.

Technical summary

The CVE-2026-4720 vulnerability is caused by memory safety bugs in the affected versions of Mozilla Firefox and Thunderbird. These bugs could lead to memory corruption and potentially allow for arbitrary code execution. The Common Weakness Enumeration (CWE) for this vulnerability is CWE-120, indicating a potential for buffer overflow or similar issues. The vulnerability was publicly disclosed on March 24, 2026, and has since been modified on June 30, 2026, likely to reflect additional information or patches.

Defensive priority

High. Immediate patching is recommended due to the critical severity and potential for exploitation.

Recommended defensive actions

  • Update Mozilla Firefox to version 149 or later.
  • Update Mozilla Firefox ESR to version 140.9 or later.
  • Update Mozilla Thunderbird to version 149 or later.
  • Update Mozilla Thunderbird ESR to version 140.9 or later.
  • Review and apply additional security advisories from Mozilla and relevant vendors.

Evidence notes

The CVE-2026-4720 vulnerability is supported by evidence from Mozilla's security advisories (MFSA 2026-20, MFSA 2026-22, MFSA 2026-23, MFSA 2026-24) and NVD details. Red Hat has also provided errata for affected systems.

Official resources

This article is AI-assisted and based on the supplied source corpus.