CVE-2026-2806
Published: 24 February 2026
Summary
CVE-2026-2806 is a critical-severity Use of Uninitialized Resource (CWE-908) vulnerability in Mozilla Firefox. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 30.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-2806 is a critical vulnerability involving uninitialized memory in the Graphics: Text component, affecting Mozilla Firefox and Thunderbird. Assigned CWE-908 (Use of Uninitialized Resource) and CWE-457 (Use of Uninitialized Variable), it received a CVSS v3.1 base score of 9.1, reflecting its high severity due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation enables high-impact confidentiality violations, such as disclosure of sensitive information from uninitialized memory, alongside high-impact availability disruptions, potentially leading to denial-of-service conditions like application crashes.
Mozilla addressed the issue in Firefox version 148 and Thunderbird version 148, as detailed in security advisories MFSA 2026-13 and MFSA 2026-16, along with the upstream bug report at Bugzilla ID 2006199. Security practitioners should ensure affected systems are updated to these patched versions to mitigate the risk.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8459
Vulnerability details
Uninitialized memory in the Graphics: Text component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Uninitialized memory use in browser graphics/text enables remote exploitation via malicious web content (drive-by) with no user interaction required, directly supporting T1189; the described high-impact crashes also map to application exploitation for DoS under T1499.004. No RCE or code execution is indicated, limiting additional mappings.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely flaw remediation, directly requiring patching of Firefox and Thunderbird to version 148 to eliminate the uninitialized memory vulnerability.
SI-16 implements memory protection controls like ASLR and stack canaries that mitigate exploitation of uninitialized memory for information disclosure and denial-of-service.
SI-5 ensures receipt and action on vendor security advisories like MFSA 2026-13, enabling prompt awareness and patching of CVE-2026-2806.