{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4701", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:05.456Z", "datePublished": "2026-03-24T12:30:29.700Z", "dateUpdated": "2026-03-24T20:27:31.023Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "140.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "140.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9."}]}], "title": "Use-after-free in the JavaScript Engine component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2009303"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "credits": [{"lang": "en", "value": "Gary Kwong"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:31.023Z"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "DA62D95E-CB01-4586-83DB-5094116FC939", "versionEndExcluding": "140.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9."}], "id": "CVE-2026-4701", "lastModified": "2026-03-24T21:16:31.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T13:16:06.103", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2009303"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "firefox: thunderbird: Use-after-free in the JavaScript Engine component", "id": "2450710", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450710"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue:\nUse-after-free in the JavaScript Engine component"], "name": "CVE-2026-4701", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T12:30:29Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4701\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4701\nhttps://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2026-4701\nhttps://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2026-4701"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,140.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox ESR", "source": "cna", "vendor": "Mozilla"}, "product": "firefox_esr", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-03-24T21:26:46.921407+00:00", "value": {"mitigation_remediation": ["Update to the latest Mozilla Firefox or Firefox ESR version (149 or ESR 140.9 or later).", "Update to the latest Mozilla Thunderbird or Thunderbird ESR version (149 or ESR 140.9 or later).", "Verify that the update installed by checking the browser or mail client version in the About dialog.", "If an update cannot be applied immediately, restrict or disable JavaScript execution in untrusted contexts or use a web filtering solution to block malicious scripts.", "Monitor Mozilla security advisories for any new patches or work\u2011arounds and apply them as soon as they become available."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution via Use-After-Free in JavaScript Engine"}, "threat_synthesis": {"affected_systems": "Affected products include Mozilla Firefox and Mozilla Thunderbird, both in the main release line and their ESR streams. The flaw exists in Firefox versions earlier than 149, in Firefox ESR versions earlier than 140.9, in Thunderbird earlier than 149, and in Thunderbird ESR earlier than 140.9. Systems running these versions are at risk.\n", "description_and_impact": "This vulnerability is a classic use\u2011after\u2011free flaw in the JavaScript engine. The memory bug can allow an attacker to corrupt program state or execute arbitrary code when malicious JavaScript is parsed. With the described class of error (CWE\u2011416), the impact is loss of confidentiality, integrity, and availability for compromised machines, potentially enabling full system takeover.\n", "risk_and_exploitability": "The CVSS score of 9.8 signifies critical severity, indicating that exploitation would likely provide remote code execution. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, so no known public exploits have been reported yet. The likely attack vector is through malicious web content or a crafted file that triggers JavaScript evaluation; the flaw requires memory corruption during script parsing, making exploitation feasible from untrusted content. Because it can be triggered remotely, users must treat the risk as high pending patch deployment."}}}}, "created": "2026-03-25T11:48:07.969989+00:00", "updated": "2026-03-25T20:50:43.811401+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}