{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4710", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:21.623Z", "datePublished": "2026-03-24T12:30:35.852Z", "dateUpdated": "2026-03-24T20:27:42.269Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Firefox ESR", "vendor": "Mozilla", "versions": [{"lessThan": "140.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "140.9", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9."}]}], "title": "Incorrect boundary conditions in the Audio/Video component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016370"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "credits": [{"lang": "en", "value": "Sajeeb Lohani"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:42.269Z"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "DA62D95E-CB01-4586-83DB-5094116FC939", "versionEndExcluding": "140.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B", "versionEndExcluding": "149.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "4C0558B1-4113-45A8-8E37-A0793A67AD6D", "versionEndExcluding": "140.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "40FE4697-89F1-46F6-8E28-41883647583B", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Audio/Video component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9."}, {"lang": "es", "value": "Condiciones de contorno incorrectas en el componente de Audio/Video. Esta vulnerabilidad afecta a Firefox &lt; 149, Firefox ESR &lt; 140.9, Thunderbird &lt; 149 y Thunderbird &lt; 140.9."}], "id": "CVE-2026-4710", "lastModified": "2026-03-25T18:19:17.087", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-24T13:16:06.910", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016370"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-22/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-24/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,140.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox ESR", "source": "cna", "vendor": "Mozilla"}, "product": "firefox_esr", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-03-25T21:32:09.322249+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox to version 149 or later, or to the ESR release 140.9 or newer.", "Upgrade Mozilla Thunderbird to version 149 or later, or to the ESR release 140.9 or newer.", "If an upgrade is not feasible, consider disabling the media playback functionality or switching to an alternate media viewer to reduce exposure.", "Stay informed by monitoring Mozilla security advisories for any additional patches or mitigations."], "summary": {"action": "Patch", "impact": "Potential for code execution"}, "threat_synthesis": {"affected_systems": "All editions of Mozilla Firefox and Thunderbird that are below version 149 on the mainline releases or below 140.9 on the Extended Support Release channel are vulnerable. The issue applies to every platform where these browsers run, as the component is core to the media handling functionality.", "description_and_impact": "The reported flaw is caused by incorrect boundary checks in the audio and video subsystem. This can allow an attacker to corrupt memory when a media file is processed, which in turn could lead to the execution of arbitrary code. While the official data does not explicitly state that exploitation is guaranteed, the nature of the defect\u2014buffer overruns\u2014implies that an attacker might be able to run code with the privileges of the user opening the file.", "risk_and_exploitability": "The CVSS score of 9.8 highlights a critical level of severity. The EPSS score of less than 1% indicates that, as of now, the probability of exploitation is low, and it is not listed in the CISA KEV catalog. The most likely attack will involve a local user who opens a crafted media file; this inference comes from the absence of any mention of remote triggers and the typical exploitation path for buffer overrun bugs. Overall, the risk is high due to the severity, although actual exploitation attempts are currently unlikely."}}}}, "created": "2026-03-25T11:47:57.581606+00:00", "updated": "2026-03-25T21:48:17.093517+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$firefox_esr"]}