CVE-2026-3845
Published: 10 March 2026
Summary
CVE-2026-3845 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the heap buffer overflow flaw in Firefox for Android via patching to version 148.0.2 or later.
Provides memory safeguards such as ASLR, DEP, and stack canaries that mitigate exploitation of heap buffer overflows during media playback.
Enables scanning to identify systems running vulnerable versions of Firefox for Android affected by this media processing heap overflow.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in browser media playback component directly enables client-side RCE (T1203) when user opens malicious audio/video file (T1204.002).
NVD Description
Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2.
Deeper analysisAI
CVE-2026-3845 is a heap buffer overflow vulnerability (CWE-122) in the Audio/Video: Playback component of Firefox for Android. The flaw allows memory corruption when processing certain media content during playback. It was publicly disclosed on March 10, 2026, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Remote attackers can exploit this vulnerability by tricking users into playing maliciously crafted media files or streams accessible over the network. No privileges are required, but user interaction is necessary, such as opening a specially crafted video or audio file in the browser. Successful exploitation could result in high confidentiality, integrity, and availability impacts, potentially enabling arbitrary code execution, data theft, or system compromise on the affected Android device.
Mozilla's security advisory (MFSA 2026-19) and the associated Bugzilla entry (bug 2020174) confirm that the vulnerability was addressed in Firefox for Android version 148.0.2. Security practitioners should prioritize updating affected devices to this version or later to mitigate the risk, and advise users to avoid playing untrusted media content from unverified sources.
Details
- CWE(s)