{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4724", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:47.158Z", "datePublished": "2026-03-24T12:30:31.717Z", "dateUpdated": "2026-03-25T19:50:02.192Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"lessThan": "149", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149."}]}], "title": "Undefined behavior in the Audio/Video component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014865"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:34.930Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-758", "lang": "en", "description": "CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:43:18.279614Z", "id": "CVE-2026-4724", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:50:02.192Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4724", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:43:18.279614Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-758", "description": "CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:45:42.670Z"}}], "cna": {"title": "Undefined behavior in the Audio/Video component", "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "149", "versionType": "custom"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "149", "versionType": "custom"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014865"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "descriptions": [{"lang": "en", "value": "Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "supportingMedia": [{"type": "text/html", "value": "Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-03-24T20:27:34.930Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4724", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:50:02.192Z", "dateReserved": "2026-03-23T23:22:47.158Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-24T12:30:31.717Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*", "matchCriteriaId": "EC415708-0D12-42F6-801D-6884F4F01CD9", "versionEndExcluding": "149.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "98D01327-B65C-4FE2-8BBE-98C3555CF8E0", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Undefined behavior in the Audio/Video component. This vulnerability affects Firefox < 149 and Thunderbird < 149."}, {"lang": "es", "value": "Comportamiento indefinido en el componente de Audio/Video. Esta vulnerabilidad afecta a Firefox &lt; 149 y Thunderbird &lt; 149."}], "id": "CVE-2026-4724", "lastModified": "2026-03-25T20:55:47.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T13:16:08.280", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014865"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-758"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Undefined behavior in the Audio/Video component", "id": "2450749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450749"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-475", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nUndefined behavior in the Audio/Video component"], "name": "CVE-2026-4724", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T12:30:31Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4724\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4724\nhttps://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4724"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-03-25T13:23:47.157722+00:00", "value": {"mitigation_remediation": ["Update to Firefox 149 or newer and Thunderbird 149 or newer."], "summary": {"action": "Patch", "impact": "Potential code execution via audio/video component misuse"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox versions prior to 149 and Mozilla Thunderbird versions prior to 149 are affected. The impact applies to users running these older builds, regardless of operating system or other installed software.", "description_and_impact": "An undefined behavior resides in the Audio/Video component that is exercised by rendering or processing media content. The flaw could corrupt memory or trigger erroneous code paths, creating a path for an attacker to execute arbitrary code or tamper with data integrity. While the user-facing impact is not explicitly stated in the advisory, undefined behavior of this nature is known in practice to enable remote or local privilege escalation depending on the execution context.", "risk_and_exploitability": "The CVSS score of 6.1 reflects moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred as local or remote based on the component's operation; an attacker would need to supply a crafted media file or manipulate the media pipeline to trigger the undefined behavior. No current public exploit is known, but the potential for code execution warrants timely action."}}}}, "created": "2026-03-25T11:48:04.137553+00:00", "updated": "2026-03-25T20:50:39.836408+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}