Cyber Resilience

CVE-2026-2757

CriticalUpdated

Published: 24 February 2026

Published
24 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0049 38.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2757 is a critical-severity Improper Handling of Physical or Environmental Conditions (CWE-1384) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-2757 is a high-severity vulnerability stemming from incorrect boundary conditions in the WebRTC Audio/Video component of Mozilla products. It affects Firefox versions prior to 148, Firefox ESR versions prior to 115.33 and 140.8, Thunderbird versions prior to 148, and Thunderbird versions prior to 140.8. The issue is cataloged under CWE-1384 with an additional NVD-CWE-noinfo mapping and carries a CVSS v3.1 base score of 9.8.

The vulnerability enables exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing scope (S:U). Remote attackers can thus achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially leading to full system compromise such as arbitrary code execution via malicious WebRTC traffic.

Mozilla's security advisories (MFSA 2026-13 through 2026-16) and the associated Bugzilla entry (bug 2001637) detail the fix applied in the listed versions. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to the patched releases to mitigate the risk.

EU & UK References

Vulnerability details

Incorrect boundary conditions in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Remote unauthenticated RCE via malicious WebRTC traffic in client applications (Firefox/Thunderbird) directly enables client-side exploitation for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2759Same product: Mozilla Firefox
CVE-2026-2760Same product: Mozilla Firefox
CVE-2026-4710Same product: Mozilla Firefox
CVE-2026-6786Same product: Mozilla Firefox
CVE-2026-6748Same product: Mozilla Firefox
CVE-2025-9184Same product: Mozilla Firefox
CVE-2026-2789Same product: Mozilla Firefox
CVE-2025-9185Same product: Mozilla Firefox
CVE-2026-7323Same product: Mozilla Firefox
CVE-2026-0892Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.33.0 · ≤ 148.0 · 128.0 — 140.8.0
mozilla
thunderbird
≤ 140.8.0 · ≤ 148.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 directly mandates timely remediation of known flaws like CVE-2026-2757 by applying patches to vulnerable Firefox and Thunderbird versions, preventing remote code execution.

detect

RA-5 requires vulnerability scanning to identify systems running affected Firefox and Thunderbird versions prior to the patched releases.

detect

SI-5 ensures monitoring of vendor security advisories such as Mozilla's MFSA 2026-13 through 2026-16 to promptly learn of and address CVE-2026-2757.

References