Cyber Resilience

CVE-2026-4705

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0042 33.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4705 is a critical-severity Reliance on Undefined, Unspecified, or Implementation-Defined Behavior (CWE-758) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 33.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4705 involves undefined behavior in the WebRTC Signaling component, affecting Mozilla Firefox and Thunderbird products. The vulnerability was addressed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9, meaning earlier versions remain susceptible. It carries associated CWEs including NVD-CWE-noinfo and CWE-758, and was published on 2026-03-24.

Attackers can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N), and without changing the scope (S:U). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 9.8.

Mozilla's security advisories, including MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24, along with Bugzilla entry 2014873, document the issue and confirm fixes in the specified versions as the primary mitigation. Security practitioners should prioritize updating affected browsers and email clients to patched releases.

EU & UK References

Vulnerability details

Undefined behavior in the WebRTC: Signaling component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Undefined behavior in WebRTC signaling component with CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) indicates remote client-side memory corruption or code execution flaw in Firefox/Thunderbird; directly enables T1203 (Exploitation for Client Execution) via malicious WebRTC signaling without requiring privileges or explicit user interaction beyond normal app usage.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6756Same product: Mozilla Firefox
CVE-2026-5732Same product: Mozilla Firefox
CVE-2026-10701Same product: Mozilla Firefox
CVE-2026-4723Same product: Mozilla Firefox
CVE-2026-3845Same product: Mozilla Firefox
CVE-2026-4724Same product: Mozilla Firefox
CVE-2026-4701Same product: Mozilla Firefox
CVE-2026-24869Same product: Mozilla Firefox
CVE-2026-4700Same product: Mozilla Firefox
CVE-2026-3847Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.9.0 · ≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, prioritization, and patching of flaws like CVE-2026-4705 in Firefox and Thunderbird WebRTC signaling component.

preventdetect

Requires vulnerability scanning to identify unpatched instances of CVE-2026-4705 in deployed Mozilla browsers and clients.

prevent

Ensures dissemination of and response to security advisories like MFSA2026-20 documenting CVE-2026-4705 and its patches.

References