Cyber Resilience

CVE-2026-4726

HighDDoS

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0053 40.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-4726 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-4726 is a denial-of-service vulnerability in the XML component of Mozilla Firefox and Thunderbird, stemming from uncontrolled resource consumption as classified under CWE-400. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects. The vulnerability was fixed in Firefox version 149 and Thunderbird version 149.

A remote, unauthenticated attacker can exploit this over the network with low complexity and no user interaction required. Exploitation triggers resource exhaustion in the XML parser, leading to denial of service such as application crashes or severe performance degradation in affected browsers or email clients.

Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23 document the patch details and release notes, with additional technical analysis available in Bugzilla bug 1955311. Mitigation involves updating to Firefox 149 or Thunderbird 149, as no workarounds are specified in the provided references.

EU & UK References

Vulnerability details

Denial-of-service in the XML component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

CVE directly describes remote exploitation of XML parser for resource exhaustion (CWE-400), matching T1499.003 Application Exhaustion Flood subtechnique under Endpoint Denial of Service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6780Same product: Mozilla Firefox
CVE-2025-9182Same product: Mozilla Firefox
CVE-2026-6781Same product: Mozilla Firefox
CVE-2026-4727Same product: Mozilla Firefox
CVE-2026-8968Same product: Mozilla Firefox
CVE-2024-10466Same product: Mozilla Firefox
CVE-2026-0889Same product: Mozilla Firefox
CVE-2026-6777Same product: Mozilla Firefox
CVE-2022-42929Same product: Mozilla Firefox
CVE-2025-11721Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 149.0
mozilla
thunderbird
≤ 149.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates CVE-2026-4726 by requiring timely application of patches such as Firefox/Thunderbird version 149 to eliminate the XML parser resource exhaustion vulnerability.

prevent

Denial-of-service protection implements mechanisms to counter resource exhaustion attacks like this uncontrolled consumption in the XML component.

prevent

Resource availability protection safeguards against unauthorized resource depletion, directly addressing the CWE-400 uncontrolled consumption triggered by malicious XML inputs.

References