PatchSiren cyber security CVE debrief
CVE-2026-4720 Mozilla CVE debrief
CVE-2026-4720 is a critical vulnerability affecting Mozilla Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148. The vulnerability involves memory safety bugs that showed evidence of memory corruption. If exploited, these bugs could potentially allow attackers to run arbitrary code. The vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. This CVE has a CVSS score of 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, highlighting the high impact across confidentiality, integrity, and availability.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-24
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-24
- Advisory updated
- 2026-06-30
Who should care
Organizations and individuals using Mozilla Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, or Thunderbird 148 should prioritize patching this vulnerability. Given the critical severity and potential for arbitrary code execution, immediate attention is required to prevent potential exploitation. This includes updating to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9 as soon as possible.
Technical summary
The CVE-2026-4720 vulnerability is caused by memory safety bugs in the affected versions of Mozilla Firefox and Thunderbird. These bugs could lead to memory corruption and potentially allow for arbitrary code execution. The Common Weakness Enumeration (CWE) for this vulnerability is CWE-120, indicating a potential for buffer overflow or similar issues. The vulnerability was publicly disclosed on March 24, 2026, and has since been modified on June 30, 2026, likely to reflect additional information or patches.
Defensive priority
High. Immediate patching is recommended due to the critical severity and potential for exploitation.
Recommended defensive actions
- Update Mozilla Firefox to version 149 or later.
- Update Mozilla Firefox ESR to version 140.9 or later.
- Update Mozilla Thunderbird to version 149 or later.
- Update Mozilla Thunderbird ESR to version 140.9 or later.
- Review and apply additional security advisories from Mozilla and relevant vendors.
Evidence notes
The CVE-2026-4720 vulnerability is supported by evidence from Mozilla's security advisories (MFSA 2026-20, MFSA 2026-22, MFSA 2026-23, MFSA 2026-24) and NVD details. Red Hat has also provided errata for affected systems.
Official resources
-
CVE-2026-4720 CVE record
CVE.org
-
CVE-2026-4720 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Broken Link
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.