Cyber Resilience

CVE-2026-2805

Critical

Published: 24 February 2026

Published
24 February 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 32.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2805 is a critical-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-2805 is an invalid pointer vulnerability in the DOM Core & HTML component of Mozilla Firefox and Thunderbird. The issue, associated with CWE-824 (Access of Uninitialized Pointer), allows for critical memory corruption and was assigned a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction to achieve high-impact confidentiality, integrity, and availability violations. Successful exploitation could lead to arbitrary code execution, data exposure, or system compromise within the browser's sandboxed environment.

Mozilla's security advisories (MFSA 2026-13 and MFSA 2026-16) and Bugzilla entry (bug 2014549) detail the fix applied in Firefox 148 and Thunderbird 148. Security practitioners should ensure users update to these versions or later to mitigate the risk, as no workarounds are specified in the provided references.

EU & UK References

Vulnerability details

Invalid pointer in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

CVE describes unauthenticated remote memory corruption/RCE in client browser (Firefox/Thunderbird) with no user interaction required, directly enabling drive-by compromise via malicious sites and exploitation for client execution to run arbitrary code in the sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2785Same product: Mozilla Firefox
CVE-2026-6757Same product: Mozilla Firefox
CVE-2026-6751Same product: Mozilla Firefox
CVE-2025-8027Same product: Mozilla Firefox
CVE-2026-4721Same product: Mozilla Firefox
CVE-2026-2790Same product: Mozilla Firefox
CVE-2025-1011Same product: Mozilla Firefox
CVE-2026-6748Same product: Mozilla Firefox
CVE-2026-2786Same product: Mozilla Firefox
CVE-2026-2795Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 148.0
mozilla
thunderbird
≤ 148.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of known software flaws like this invalid pointer vulnerability through patching to Firefox 148 or Thunderbird 148.

prevent

Implements memory protection mechanisms such as ASLR and DEP to mitigate exploitation of memory corruption from invalid pointer dereferences in the DOM component.

detect

Enables vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-2805.

References