Cyber Resilience

CVE-2026-4688

CriticalUpdated

Published: 24 March 2026

Published
24 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0053 40.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4688 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-4688 is a critical sandbox escape vulnerability stemming from a use-after-free flaw (CWE-416) in the Disability Access APIs component of Mozilla products. It affects Firefox prior to version 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue was publicly disclosed on March 24, 2026, and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating its severe potential impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables sandbox escape, granting elevated privileges and resulting in high-impact confidentiality, integrity, and availability violations, potentially leading to full system compromise on affected browsers or email clients.

Mozilla's security advisories (MFSA 2026-20, 22, 23, and 24) and the associated Bugzilla entry (bug 2016373) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating to Firefox 149 or later, Firefox ESR 140.9 or later, Thunderbird 149 or later, and Thunderbird 140.9 or later to mitigate the risk.

EU & UK References

Vulnerability details

Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free sandbox escape in client application (Firefox/Thunderbird) enables remote unauthenticated code execution with scope change to full system privileges, directly mapping to T1203 (client execution) and T1068 (privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4696Same product: Mozilla Firefox
CVE-2026-4691Same product: Mozilla Firefox
CVE-2026-8390Same product: Mozilla Firefox
CVE-2026-4725Same product: Mozilla Firefox
CVE-2026-4723Same product: Mozilla Firefox
CVE-2026-4701Same product: Mozilla Firefox
CVE-2026-24869Same product: Mozilla Firefox
CVE-2026-4711Same product: Mozilla Firefox
CVE-2026-3847Same product: Mozilla Firefox
CVE-2024-5694Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.9.0 · ≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability by requiring timely patching to Firefox 149+, ESR 140.9+, or Thunderbird equivalents as specified in Mozilla advisories.

prevent

Mitigates use-after-free exploitation through memory protection mechanisms like ASLR and DEP that hinder arbitrary code execution in sandboxed environments.

prevent

Strengthens process isolation boundaries to limit the impact of sandbox escapes originating from flaws in components like Disability Access APIs.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
  • V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
  • V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416

References