Cyber Resilience

CVE-2026-4701

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4701 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-4701 is a use-after-free vulnerability (CWE-416) in the JavaScript Engine component of Mozilla products. It affects Firefox, Firefox ESR, and Thunderbird versions prior to the fixed releases of Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. The vulnerability was publicly disclosed on 2026-03-24.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable remotely over the network by unauthenticated attackers with low attack complexity and no user interaction. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially enabling arbitrary code execution within the context of the affected browser or mail client.

Mozilla security advisories (MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24) and Bugzilla entry 2009303 detail the issue and confirm mitigation through updates to the specified fixed versions. Security practitioners should prioritize patching affected installations to Firefox 149, Firefox ESR 140.9, Thunderbird 149, or Thunderbird 140.9.

EU & UK References

Vulnerability details

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Use-after-free in JS engine directly enables remote arbitrary code execution on client (browser/mail) via crafted JavaScript, mapping to client exploitation and JS interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4723Same product: Mozilla Firefox
CVE-2026-24869Same product: Mozilla Firefox
CVE-2026-4711Same product: Mozilla Firefox
CVE-2026-4725Same product: Mozilla Firefox
CVE-2024-5694Same product: Mozilla Firefox
CVE-2024-4771Same product: Mozilla Firefox
CVE-2020-26972Same product: Mozilla Firefox
CVE-2023-5172Same product: Mozilla Firefox
CVE-2025-13014Same product: Mozilla Firefox
CVE-2024-3856Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.9.0 · ≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of the use-after-free vulnerability in the JavaScript engine to the fixed Firefox and Thunderbird versions, preventing exploitation.

prevent

Implements memory protections such as ASLR and DEP that raise the bar for successful exploitation of the use-after-free in the JavaScript engine.

detect

Enables vulnerability scanning to identify systems running affected versions of Firefox, Firefox ESR, or Thunderbird prior to the fixed releases.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
  • V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
  • V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416

References