CVE-2026-4722

High

Published: 24 March 2026

Published

24 March 2026

Modified

13 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0002 4.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4722 is a high-severity an unspecified weakness vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-25 (Reference Monitor).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the CVE by requiring timely remediation through patching Firefox and Thunderbird to version 149 or later where the IPC privilege escalation flaw is fixed.

AC-25 Reference Monitor partial match

prevent

Enforces a reference monitor for access control decisions in IPC communications, mitigating unauthorized privilege escalations between browser processes.

SC-39 Process Isolation partial match

prevent

Maintains process isolation in the browser to limit the scope and impact of IPC-based privilege escalation exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE explicitly describes a privilege escalation vulnerability in the browser IPC component (sandbox escape pattern), directly enabling T1068 Exploitation for Privilege Escalation via remote exploit with user interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Deeper analysisAI

CVE-2026-4722 is a privilege escalation vulnerability in the IPC component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 149, where the issue was addressed. Published on 2026-03-24, the vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE category NVD-CWE-noinfo.

The vulnerability can be exploited by remote attackers requiring low attack complexity and no privileges, though user interaction is necessary. Successful exploitation enables high-impact consequences on confidentiality, integrity, and availability within the unchanged scope, allowing privilege escalation in the affected browser processes.

Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23 detail the fix implemented in Firefox 149 and Thunderbird 149. Additional technical information is available in Bugzilla entry 2010097.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

mozilla

firefox

≤ 149.0

CVEs Like This One

CVE-2026-4717Same product: Mozilla Firefox

CVE-2026-4688Same product: Mozilla Firefox

CVE-2025-2857Same product: Mozilla Firefox

CVE-2026-4690Same product: Mozilla Firefox

CVE-2026-4687Same product: Mozilla Firefox

CVE-2026-4725Same product: Mozilla Firefox

CVE-2026-2782Same product: Mozilla Firefox

CVE-2026-4691Same product: Mozilla Firefox

CVE-2026-4697Same product: Mozilla Firefox

CVE-2026-24869Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2010097
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-20/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-23/
security@mozilla.org