CVE-2026-4724
Published: 24 March 2026
Summary
CVE-2026-4724 is a critical-severity Reliance on Undefined, Unspecified, or Implementation-Defined Behavior (CWE-758) vulnerability in Mozilla Firefox. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of software flaws like the undefined behavior in Firefox/Thunderbird audio/video components fixed in version 149.
Mandates receiving, disseminating, and acting on vendor security advisories such as MFSA 2026-20 and MFSA 2026-23 to apply patches mitigating this CVE.
Enables vulnerability scanning to identify systems running vulnerable Firefox or Thunderbird versions prior to 149 affected by this critical flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploit in browser media component (no auth/UI) enables drive-by compromise via malicious sites and direct client application exploitation for code execution.
NVD Description
Undefined behavior in the Audio/Video component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Deeper analysisAI
CVE-2026-4724 is a vulnerability involving undefined behavior in the Audio/Video component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to 149 and is classified under CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior). The issue carries a CVSS v3.1 base score of 9.1, indicating critical severity due to its potential for high impact on confidentiality and integrity.
Remote attackers can exploit this vulnerability over a network with low complexity, requiring no privileges or user interaction. Successful exploitation allows attackers to achieve high confidentiality impact by accessing sensitive data and high integrity impact by modifying application data, without affecting availability or changing the scope.
Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) and the associated Bugzilla entry detail the fix implemented in Firefox 149 and Thunderbird 149. Security practitioners should prioritize updating affected browsers to these versions for mitigation.
Details
- CWE(s)