CVE-2026-4716
Published: 24 March 2026
Summary
CVE-2026-4716 is a critical-severity Use of Uninitialized Resource (CWE-908) vulnerability in Mozilla Firefox. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 7.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, prioritization, and remediation of flaws like the uninitialized memory and boundary condition errors in the JavaScript Engine via patching to fixed Firefox and Thunderbird versions.
Implements memory protection controls such as address space layout randomization and data execution prevention to minimize unauthorized access and exploitation of uninitialized memory disclosures in the JavaScript Engine.
Requires vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-4716, enabling targeted remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly enables memory content disclosure (maps to data collection from local system) and application crashes via uninitialized memory use (maps to application exploitation for DoS); no RCE/integrity impact indicated so execution techniques excluded.
NVD Description
Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Deeper analysisAI
CVE-2026-4716 is a high-severity vulnerability involving incorrect boundary conditions and uninitialized memory in the JavaScript Engine component. It affects Mozilla Firefox versions prior to 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue, classified under CWE-908 (Use of Uninitialized Resource), received a CVSS v3.1 base score of 9.1, reflecting its critical nature due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.
A remote attacker can exploit this vulnerability over the network without authentication or user interaction. Successful exploitation enables high-impact confidentiality violations, such as disclosure of sensitive memory contents, and high-impact availability disruptions, potentially leading to denial-of-service conditions like application crashes, all within the unchanged security scope.
Mozilla addressed the vulnerability in the specified fixed releases: Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Security advisories, including MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24, along with Bugzilla entry 2018592, detail the patches and recommend immediate updates to mitigate the risk.
Details
- CWE(s)