Cyber Posture

CVE-2026-4698

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4698 is a critical-severity Type Confusion (CWE-843) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Drive-by Compromise (T1189) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely identification, reporting, and patching of the JIT miscompilation flaw in Firefox and Thunderbird JavaScript Engine as fixed in versions like Firefox 149.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Supports detection of systems running vulnerable pre-patch versions of Firefox and Thunderbird through regular vulnerability scanning.

SI-5 Security Alerts, Advisories, and Directives partial match
detect

Ensures receipt and response to Mozilla advisories like MFSA2026-20 detailing the CVE-2026-4698 patches to enable prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

JIT miscompilation RCE in browser JS engine (UI:N, network-reachable) directly enables drive-by browser exploitation (T1189) and client-side vulnerability exploitation for code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Deeper analysisAI

CVE-2026-4698 is a JIT miscompilation vulnerability in the JavaScript Engine's JIT component, affecting Mozilla Firefox and Thunderbird. It impacts versions prior to Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The issue, published on 2026-03-24, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-843.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope change. Successful exploitation enables high-impact consequences, including unauthorized disclosure of information, modification of data, and denial of service.

Mozilla's security advisories (MFSA2026-20, MFSA2026-21, MFSA2026-22, and MFSA2026-23) and Bugzilla entry 2020906 detail the patches applied in the listed fixed versions, recommending immediate upgrades to mitigate the risk.

Details

CWE(s)
CWE-843

Affected Products

mozilla
firefox
≤ 115.34.0 · ≤ 149.0 · 128.0 — 140.9.0

CVEs Like This One

CVE-2026-4702Same product: Mozilla Firefox
CVE-2026-4691Same product: Mozilla Firefox
CVE-2026-24869Same product: Mozilla Firefox
CVE-2026-4723Same product: Mozilla Firefox
CVE-2026-4700Same product: Mozilla Firefox
CVE-2026-8390Same product: Mozilla Firefox
CVE-2026-5733Same product: Mozilla Firefox
CVE-2026-4711Same product: Mozilla Firefox
CVE-2026-2796Same product: Mozilla Firefox
CVE-2026-3847Same product: Mozilla Firefox

References