CVE-2026-4692
Published: 24 March 2026
Summary
CVE-2026-4692 is a critical-severity an unspecified weakness vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates identification, reporting, and correction of the specific sandbox escape flaw via timely patching to fixed Firefox and Thunderbird versions.
Requires monitoring and dissemination of relevant Mozilla security advisories like MFSA2026-20 through MFSA2026-23 to enable prompt awareness and patching of CVE-2026-4692.
Provides vulnerability scanning to detect and prioritize remediation of critical browser vulnerabilities like CVE-2026-4692 in deployed Firefox and Thunderbird instances.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Sandbox escape in client browser (Firefox/Thunderbird) with scope change and full impact directly enables T1203 (Exploitation for Client Execution) to run code outside the browser and T1068 (Exploitation for Privilege Escalation) to break sandbox restrictions for host-level access.
NVD Description
Sandbox escape in the Responsive Design Mode component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Deeper analysisAI
CVE-2026-4692 is a sandbox escape vulnerability in the Responsive Design Mode component of Mozilla Firefox and Thunderbird. It affects Firefox versions prior to 149, Firefox ESR prior to 115.34 and 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. Published on 2026-03-24, the flaw carries a maximum CVSS v3.1 score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), highlighting its critical severity due to network accessibility, low complexity, no prerequisites, and scope change with full triad impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. Successful exploitation enables sandbox escape, potentially granting attackers high-level access to compromise confidentiality, integrity, and availability of the affected browser or email client processes.
Mozilla fixed CVE-2026-4692 in Firefox 149, Firefox ESR 115.34 and 140.9, Thunderbird 149, and Thunderbird 140.9. Security practitioners should review advisories MFSA2026-20, MFSA2026-21, MFSA2026-22, and MFSA2026-23, along with Bugzilla entry 2017643, for patch deployment guidance and additional mitigation details.
Details
- CWE(s)