Cyber Posture

CVE-2026-4726

High

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 3.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4726 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation directly mitigates CVE-2026-4726 by requiring timely application of patches such as Firefox/Thunderbird version 149 to eliminate the XML parser resource exhaustion vulnerability.

SC-5 Denial-of-service Protection good match
prevent

Denial-of-service protection implements mechanisms to counter resource exhaustion attacks like this uncontrolled consumption in the XML component.

SC-6 Resource Availability good match
prevent

Resource availability protection safeguards against unauthorized resource depletion, directly addressing the CWE-400 uncontrolled consumption triggered by malicious XML inputs.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

CVE directly describes remote exploitation of XML parser for resource exhaustion (CWE-400), matching T1499.003 Application Exhaustion Flood subtechnique under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Deeper analysisAI

CVE-2026-4726 is a denial-of-service vulnerability in the XML component of Mozilla Firefox and Thunderbird, stemming from uncontrolled resource consumption as classified under CWE-400. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects. The vulnerability was fixed in Firefox version 149 and Thunderbird version 149.

A remote, unauthenticated attacker can exploit this over the network with low complexity and no user interaction required. Exploitation triggers resource exhaustion in the XML parser, leading to denial of service such as application crashes or severe performance degradation in affected browsers or email clients.

Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23 document the patch details and release notes, with additional technical analysis available in Bugzilla bug 1955311. Mitigation involves updating to Firefox 149 or Thunderbird 149, as no workarounds are specified in the provided references.

Details

CWE(s)
CWE-400

Affected Products

mozilla
firefox
≤ 149.0
mozilla
thunderbird
≤ 149.0

CVEs Like This One

CVE-2026-6780Same product: Mozilla Firefox
CVE-2026-0889Same product: Mozilla Firefox
CVE-2026-4727Same product: Mozilla Firefox
CVE-2026-6781Same product: Mozilla Firefox
CVE-2026-6777Same product: Mozilla Firefox
CVE-2026-8093Same product: Mozilla Firefox
CVE-2025-9185Same product: Mozilla Firefox
CVE-2026-2803Same product: Mozilla Firefox
CVE-2026-6766Same product: Mozilla Firefox
CVE-2025-1018Same product: Mozilla Firefox

References