CVE-2026-2805
Published: 24 February 2026
Summary
CVE-2026-2805 is a critical-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of known software flaws like this invalid pointer vulnerability through patching to Firefox 148 or Thunderbird 148.
Implements memory protection mechanisms such as ASLR and DEP to mitigate exploitation of memory corruption from invalid pointer dereferences in the DOM component.
Enables vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-2805.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes unauthenticated remote memory corruption/RCE in client browser (Firefox/Thunderbird) with no user interaction required, directly enabling drive-by compromise via malicious sites and exploitation for client execution to run arbitrary code in the sandbox.
NVD Description
Invalid pointer in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
Deeper analysisAI
CVE-2026-2805 is an invalid pointer vulnerability in the DOM Core & HTML component of Mozilla Firefox and Thunderbird. The issue, associated with CWE-824 (Access of Uninitialized Pointer), allows for critical memory corruption and was assigned a CVSS v3.1 base score of 9.8, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.
Remote attackers can exploit this vulnerability over the network without authentication or user interaction to achieve high-impact confidentiality, integrity, and availability violations. Successful exploitation could lead to arbitrary code execution, data exposure, or system compromise within the browser's sandboxed environment.
Mozilla's security advisories (MFSA 2026-13 and MFSA 2026-16) and Bugzilla entry (bug 2014549) detail the fix applied in Firefox 148 and Thunderbird 148. Security practitioners should ensure users update to these versions or later to mitigate the risk, as no workarounds are specified in the provided references.
Details
- CWE(s)