CVE-2026-2765
Published: 24 February 2026
Summary
CVE-2026-2765 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Deeper analysis
CVE-2026-2765 is a use-after-free vulnerability (CWE-416) in the JavaScript Engine component of Mozilla products, published on 2026-02-24. It affects Firefox versions prior to 148, Firefox ESR prior to 140.8, Thunderbird prior to 148, and Thunderbird prior to 140.8, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no user privileges or interaction. Successful exploitation enables high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution within the browser or application context.
Mozilla security advisories (MFSA2026-13, MFSA2026-15, MFSA2026-16, and MFSA2026-17) and Bugzilla entry 2013562 detail the fix applied in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8. Mitigation requires updating affected products to these versions or later.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8487
Vulnerability details
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in JS engine enables remote arbitrary code execution in browser/app context (no auth/interaction required), directly facilitating client-side exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of flaws through patching, addressing the use-after-free vulnerability fixed in updated Firefox and Thunderbird versions.
Implements memory protection techniques like ASLR and DEP that mitigate exploitation of use-after-free vulnerabilities in the JavaScript engine.
Enforces process isolation via browser sandboxing to contain the impact of JavaScript engine exploits and prevent escalation to system compromise.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
- V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
- V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416