Cyber Posture

CVE-2026-4727

HighDDoS

Published: 24 March 2026

Published
24 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4727 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring timely flaw remediation through patching Firefox and Thunderbird to version 149 or later, addressing the NSS resource exhaustion vulnerability.

SC-5 Denial-of-service Protection good match
prevent

Provides denial-of-service protection mechanisms such as resource limiting and validation to prevent exploitation of the uncontrolled resource consumption in NSS.

SC-6 Resource Availability good match
preventdetect

Ensures resource availability by allocating and monitoring resources to prevent exhaustion attacks like this CVE in the NSS libraries.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote resource exhaustion DoS (CWE-400) in NSS library directly enables T1499.004 Application or System Exploitation to impact availability with no auth/UI required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Denial-of-service in the Libraries component in NSS. This vulnerability was fixed in Firefox 149 and Thunderbird 149.

Deeper analysisAI

CVE-2026-4727 is a denial-of-service vulnerability (CWE-400: Uncontrolled Resource Consumption) in the Libraries component of NSS (Network Security Services). It affects Mozilla products that incorporate NSS, including Firefox and Thunderbird prior to version 149. The issue was publicly disclosed on March 24, 2026, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Attackers can exploit this vulnerability remotely over the network with low complexity, requiring no authentication privileges or user interaction. Successful exploitation leads to a denial of service, causing high impact to availability through resource exhaustion, with no effects on confidentiality or integrity.

Mozilla's security advisories MFSA 2026-20 and MFSA 2026-23, along with Bugzilla entry 2008112, confirm the vulnerability and state that it was addressed in Firefox 149 and Thunderbird 149. Security practitioners should prioritize updating to these patched versions or later to mitigate the risk.

Details

CWE(s)
CWE-400

Affected Products

mozilla
firefox
≤ 149.0
mozilla
thunderbird
≤ 149.0

CVEs Like This One

CVE-2026-0889Same product: Mozilla Firefox
CVE-2026-6781Same product: Mozilla Firefox
CVE-2026-6777Same product: Mozilla Firefox
CVE-2026-6773Same product: Mozilla Firefox
CVE-2026-6746Same product: Mozilla Firefox
CVE-2026-4704Same product: Mozilla Firefox
CVE-2026-6754Same product: Mozilla Firefox
CVE-2026-4726Same product: Mozilla Firefox
CVE-2026-6780Same product: Mozilla Firefox
CVE-2026-6755Same product: Mozilla Firefox

References