Cyber Resilience

CVE-2026-4716

Critical

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0041 32.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4716 is a critical-severity Use of Uninitialized Resource (CWE-908) vulnerability in Mozilla Firefox. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 32.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4716 is a high-severity vulnerability involving incorrect boundary conditions and uninitialized memory in the JavaScript Engine component. It affects Mozilla Firefox versions prior to 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue, classified under CWE-908 (Use of Uninitialized Resource), received a CVSS v3.1 base score of 9.1, reflecting its critical nature due to network accessibility, low attack complexity, and no requirements for privileges or user interaction.

A remote attacker can exploit this vulnerability over the network without authentication or user interaction. Successful exploitation enables high-impact confidentiality violations, such as disclosure of sensitive memory contents, and high-impact availability disruptions, potentially leading to denial-of-service conditions like application crashes, all within the unchanged security scope.

Mozilla addressed the vulnerability in the specified fixed releases: Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Security advisories, including MFSA2026-20, MFSA2026-22, MFSA2026-23, and MFSA2026-24, along with Bugzilla entry 2018592, detail the patches and recommend immediate updates to mitigate the risk.

EU & UK References

Vulnerability details

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability directly enables memory content disclosure (maps to data collection from local system) and application crashes via uninitialized memory use (maps to application exploitation for DoS); no RCE/integrity impact indicated so execution techniques excluded.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4715Same product: Mozilla Firefox
CVE-2026-2794Same product: Mozilla Firefox
CVE-2024-3862Same product: Mozilla Firefox
CVE-2026-4707Same product: Mozilla Firefox
CVE-2026-4713Same product: Mozilla Firefox
CVE-2026-4709Same product: Mozilla Firefox
CVE-2026-4706Same product: Mozilla Firefox
CVE-2026-4704Same product: Mozilla Firefox
CVE-2026-4712Same product: Mozilla Firefox
CVE-2026-4686Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.9.0 · ≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, prioritization, and remediation of flaws like the uninitialized memory and boundary condition errors in the JavaScript Engine via patching to fixed Firefox and Thunderbird versions.

prevent

Implements memory protection controls such as address space layout randomization and data execution prevention to minimize unauthorized access and exploitation of uninitialized memory disclosures in the JavaScript Engine.

detect

Requires vulnerability scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-4716, enabling targeted remediation.

References