CVE-2026-2634
Published: 24 February 2026
Summary
CVE-2026-2634 is a critical-severity User Interface (UI) Misrepresentation of Critical Information (CWE-451) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-2634 by requiring timely identification, reporting, and patching of the flaw in Firefox for iOS to version 147.4 or later.
Enables proactive scanning to identify the presence of CVE-2026-2634 in deployed Firefox for iOS instances, triggering remediation.
Supports rapid awareness and response by receiving and implementing Mozilla's security advisory (MFSA 2026-12) specific to this UI spoofing vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Address bar desync/UI spoofing in browser directly enables phishing via malicious links (T1566.002) and supports drive-by social engineering attacks without user interaction (T1189).
NVD Description
Malicious scripts could cause desynchronization between the address bar and web content before a response is received in Firefox iOS, allowing attacker-controlled pages to be presented under spoofed domains. This vulnerability was fixed in Firefox for iOS 147.4.
Deeper analysisAI
CVE-2026-2634 is a critical vulnerability in Firefox for iOS that allows malicious scripts to cause desynchronization between the address bar and web content before a server response is received. This enables attacker-controlled pages to be presented under spoofed domains, facilitating UI spoofing. The issue affects Firefox for iOS versions prior to 147.4 and is associated with CWE-451 (User Interface Misrepresentation of Critical Information), with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any remote attacker can exploit this vulnerability without privileges or user interaction by hosting malicious scripts on a webpage. Successful exploitation tricks users into believing they are visiting a legitimate domain while displaying attacker-controlled content, potentially leading to phishing, credential theft, or other social engineering attacks with high confidentiality, integrity, and availability impacts.
Mozilla fixed this vulnerability in Firefox for iOS 147.4, as detailed in their security advisory (MFSA 2026-12) and Bugzilla entry 1975529. Security practitioners should ensure users update to the patched version to mitigate the risk.
Details
- CWE(s)