CVE-2026-4692
Published: 24 March 2026
Summary
CVE-2026-4692 is a critical-severity Improper Isolation or Compartmentalization (CWE-653) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-4692 is a sandbox escape vulnerability in the Responsive Design Mode component of Mozilla Firefox and Thunderbird. It affects Firefox versions prior to 149, Firefox ESR prior to 115.34 and 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. Published on 2026-03-24, the flaw carries a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), highlighting its critical severity due to network accessibility, low complexity, no prerequisites, and scope change with full triad impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation enables sandbox escape, potentially granting attackers high-level access to compromise confidentiality, integrity, and availability of the affected browser or email client processes.
Mozilla fixed CVE-2026-4692 in Firefox 149, Firefox ESR 115.34 and 140.9, Thunderbird 149, and Thunderbird 140.9. Security practitioners should review advisories MFSA2026-20, MFSA2026-21, MFSA2026-22, and MFSA2026-23, along with Bugzilla entry 2017643, for patch deployment guidance and additional mitigation details.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14807
Vulnerability details
Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in client browser (Firefox/Thunderbird) with scope change and full impact directly enables T1203 (Exploitation for Client Execution) to run code outside the browser and T1068 (Exploitation for Privilege Escalation) to break sandbox restrictions for host-level access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates identification, reporting, and correction of the specific sandbox escape flaw via timely patching to fixed Firefox and Thunderbird versions.
Requires monitoring and dissemination of relevant Mozilla security advisories like MFSA2026-20 through MFSA2026-23 to enable prompt awareness and patching of CVE-2026-4692.
Provides vulnerability scanning to detect and prioritize remediation of critical browser vulnerabilities like CVE-2026-4692 in deployed Firefox and Thunderbird instances.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 9 (1 rule)
- V-271452 OL 9 must use a Linux Security Module configured to enforce limits on system services. via CWE-653
RHEL 9 (2 rules)
- V-258078 RHEL 9 must use a Linux Security Module configured to enforce limits on system services. via CWE-653
- V-272496 RHEL 9 must elevate the SELinux context when an administrator calls the sudo command. via CWE-653
Ubuntu 22.04 (1 rule)
- V-260470 Ubuntu 22.04 LTS, when booted, must require authentication upon booting into single-user and maintenance modes. via CWE-653
Ubuntu 24.04 (1 rule)
- V-270675 Ubuntu 24.04 LTS when booted must require authentication upon booting into single-user and maintenance modes. via CWE-653
Windows 10 (1 rule)
- V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-653
Windows 11 (1 rule)
- V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-653
Windows Server 2016 (1 rule)
- V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-653