CVE-2026-4725
Published: 24 March 2026
Summary
CVE-2026-4725 is a critical-severity Use After Free (CWE-416) vulnerability in Mozilla Firefox. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 2.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free flaw by requiring timely application of vendor patches such as Firefox 149 and Thunderbird 149.
Implements memory protections like address space layout randomization and data execution prevention to mitigate use-after-free vulnerabilities and prevent arbitrary code execution.
Enforces process isolation techniques such as browser sandboxing to restrict the scope of sandbox escape attempts even if the use-after-free occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables drive-by compromise via malicious website/crafted content triggering UAF in browser Canvas2D (T1189), client application exploitation for code execution (T1203), and sandbox escape for host-level privilege escalation (T1068).
NVD Description
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Deeper analysisAI
CVE-2026-4725 is a sandbox escape vulnerability stemming from a use-after-free flaw in the Graphics: Canvas2D component of Mozilla Firefox and Thunderbird. Assigned CWE-416, it received a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, lack of required privileges or user interaction, and scope change with high impacts across confidentiality, integrity, and availability. The issue was addressed in Firefox version 149 and Thunderbird version 149.
Remote attackers can exploit this vulnerability by tricking users into visiting a malicious website or loading crafted content that triggers the use-after-free in Canvas2D rendering. No authentication or user privileges are needed, and exploitation requires no user interaction beyond normal browsing. Successful exploitation allows attackers to escape the browser's sandbox, potentially leading to arbitrary code execution on the host system with full confidentiality, integrity, and availability impacts.
Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) and the associated Bugzilla entry (bug 2017108) detail the patch deployment in Firefox 149 and Thunderbird 149, recommending immediate updates to mitigate the flaw. Practitioners should prioritize upgrading affected browsers and monitor for patches in derivative products.
Details
- CWE(s)