Cyber Resilience

CVE-2026-4722

High

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0031 23.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4722 is a high-severity an unspecified weakness vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-25 (Reference Monitor).

Deeper analysis

CVE-2026-4722 is a privilege escalation vulnerability in the IPC component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 149, where the issue was addressed. Published on 2026-03-24, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE category NVD-CWE-noinfo.

The vulnerability can be exploited by remote attackers requiring low attack complexity and no privileges, though user interaction is necessary. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability within the unchanged scope, allowing privilege escalation in the affected browser processes.

Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23 detail the fix implemented in Firefox 149 and Thunderbird 149. Additional technical information is available in Bugzilla entry 2010097.

EU & UK References

Vulnerability details

Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE explicitly describes a privilege escalation vulnerability in the browser IPC component (sandbox escape pattern), directly enabling T1068 Exploitation for Privilege Escalation via remote exploit with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4717Same product: Mozilla Firefox
CVE-2026-8401Same product: Mozilla Firefox
CVE-2025-2857Same product: Mozilla Firefox
CVE-2026-4688Same product: Mozilla Firefox
CVE-2026-4690Same product: Mozilla Firefox
CVE-2026-4725Same product: Mozilla Firefox
CVE-2026-4687Same product: Mozilla Firefox
CVE-2021-23985Same product: Mozilla Firefox
CVE-2022-45417Same product: Mozilla Firefox
CVE-2020-26977Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation through patching Firefox and Thunderbird to version 149 or later where the IPC privilege escalation flaw is fixed.

prevent

Enforces a reference monitor for access control decisions in IPC communications, mitigating unauthorized privilege escalations between browser processes.

prevent

Maintains process isolation in the browser to limit the scope and impact of IPC-based privilege escalation exploits.

References