CVE-2026-4701
Published: 24 March 2026
Summary
CVE-2026-4701 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-4701 is a use-after-free vulnerability (CWE-416) in the JavaScript Engine component of Mozilla products. It affects Firefox, Firefox ESR, and Thunderbird versions prior to the fixed releases of Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability was publicly disclosed on 2026-03-24.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution within the context of the affected browser or mail client.
Mozilla security advisories (MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24) and Bugzilla entry 2009303 detail the issue and confirm mitigation through updates to the specified fixed versions. Security practitioners should prioritize patching affected installations to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14819
Vulnerability details
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in JS engine directly enables remote arbitrary code execution on client (browser/mail) via crafted JavaScript, mapping to client exploitation and JS interpreter abuse.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the use-after-free vulnerability in the JavaScript engine to the fixed Firefox and Thunderbird versions, preventing exploitation.
Implements memory protections such as ASLR and DEP that raise the bar for successful exploitation of the use-after-free in the JavaScript engine.
Enables vulnerability scanning to identify systems running affected versions of Firefox, Firefox ESR, or Thunderbird prior to the fixed releases.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
- V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
- V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416