CVE-2026-4719
Published: 24 March 2026
Summary
CVE-2026-4719 is a high-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 6.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation directly applies vendor patches (Firefox 149, ESR 140.9, Thunderbird 149/140.9) that correct the incorrect boundary conditions in the Graphics: Text component.
Vulnerability scanning identifies systems running affected versions of Firefox or Thunderbird prior to the patched releases.
Monitoring security advisories like Mozilla MFSA 2026-20/22/23/24 ensures awareness of this DoS vulnerability and triggers patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a buffer error in Firefox/Thunderbird graphics rendering, directly causing application crash and high-impact endpoint DoS with no other effects.
NVD Description
Incorrect boundary conditions in the Graphics: Text component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Deeper analysisAI
CVE-2026-4719 is a vulnerability involving incorrect boundary conditions in the Graphics: Text component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 149, Firefox ESR prior to 140.9, Thunderbird prior to 149, and Thunderbird prior to 140.9. The issue is classified under CWE-754 (Improper Check for Unusual or Exceptional Conditions) and CWE-119 (Buffer Errors), with a CVSS v3.1 base score of 7.5.
The vulnerability can be exploited by a remote, unauthenticated attacker with low complexity and no user interaction required. Successful exploitation results in a denial of service, specifically high-impact availability disruption (A:H), with no impact on confidentiality or integrity (C:N/I:N), over the network (AV:N) and without privilege requirements (PR:N).
Mozilla security advisories (MFSA 2026-20, 2026-22, 2026-23, and 2026-24) and the associated Bugzilla entry detail the patch releases that address the issue: Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Security practitioners should ensure affected products are updated to these versions or later to mitigate the vulnerability.
Details
- CWE(s)