CVE-2026-4688
Published: 24 March 2026
Summary
CVE-2026-4688 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability by requiring timely patching to Firefox 149+, ESR 140.9+, or Thunderbird equivalents as specified in Mozilla advisories.
Mitigates use-after-free exploitation through memory protection mechanisms like ASLR and DEP that hinder arbitrary code execution in sandboxed environments.
Strengthens process isolation boundaries to limit the impact of sandbox escapes originating from flaws in components like Disability Access APIs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free sandbox escape in client application (Firefox/Thunderbird) enables remote unauthenticated code execution with scope change to full system privileges, directly mapping to T1203 (client execution) and T1068 (privilege escalation).
NVD Description
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Deeper analysisAI
CVE-2026-4688 is a critical sandbox escape vulnerability stemming from a use-after-free flaw (CWE-416) in the Disability Access APIs component of Mozilla products. It affects Firefox prior to version 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue was publicly disclosed on March 24, 2026, and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating its severe potential impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables sandbox escape, granting elevated privileges and resulting in high-impact confidentiality, integrity, and availability violations, potentially leading to full system compromise on affected browsers or email clients.
Mozilla's security advisories (MFSA 2026-20, 22, 23, and 24) and the associated Bugzilla entry (bug 2016373) confirm the vulnerability was addressed in the specified fixed releases. Security practitioners should prioritize updating to Firefox 149 or later, Firefox ESR 140.9 or later, Thunderbird 149 or later, and Thunderbird 140.9 or later to mitigate the risk.
Details
- CWE(s)