CVE-2026-2779
Published: 24 February 2026
Summary
CVE-2026-2779 is a critical-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and correction of software flaws like the buffer overflow in Firefox/Thunderbird's Networking JAR component via vendor patches such as Firefox 148.
Implements memory safeguards like address space layout randomization and data execution prevention to block unauthorized code execution from buffer overflow exploits in the JAR component.
Provides vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by the JAR boundary condition flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote buffer overflow (CWE-119) in client-side Networking:JAR component of Firefox/Thunderbird enables arbitrary code execution with no user interaction, directly mapping to T1203 Exploitation for Client Execution.
NVD Description
Incorrect boundary conditions in the Networking: JAR component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Deeper analysisAI
CVE-2026-2779 is a vulnerability involving incorrect boundary conditions in the Networking: JAR component of Mozilla Firefox and Thunderbird. It affects versions prior to Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8, and is associated with CWE-119 (likely a buffer overflow due to improper bounds checking), as indicated by NVD-CWE-noinfo. The issue carries a CVSS v3.1 base score of 9.8, reflecting its critical severity.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation enables high-impact compromise, including unauthorized access to sensitive data (confidentiality), modification of system state (integrity), and disruption of services (availability).
Mozilla security advisories (MFSA 2026-13, 15, 16, and 17) and the associated Bugzilla entry detail the patch, recommending immediate updates to Firefox 148, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8 to mitigate the issue.
Details
- CWE(s)