CVE-2026-4729
Published: 24 March 2026
Summary
CVE-2026-4729 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-4729 is a set of memory safety bugs (classified under CWE-120: Buffer Copy without Checking Size of Input) affecting Firefox version 148 and Thunderbird version 148. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be leveraged with sufficient effort to enable arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote compromise.
Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, user interaction, or special conditions. Successful exploitation could grant attackers high confidentiality, integrity, and availability impacts, potentially allowing full control over the affected browser or email client processes, including execution of arbitrary code within the victim's environment.
Mozilla's security advisories (MFSA 2026-20 and MFSA 2026-23) address the issue, with fixes implemented in Firefox 149 and Thunderbird 149. Security practitioners should prioritize updating affected instances to these versions, as detailed in the referenced Bugzilla entries for bugs 1944033, 1997282, 2009213, 2011412, 2021925, and 2022034.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14873
Vulnerability details
Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was…
more
fixed in Firefox 149 and Thunderbird 149.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption RCE in client software (browser/email) directly enables drive-by compromise via malicious content (T1189), exploitation for client execution (T1203), and arbitrary code/command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates timely identification, reporting, and patching of the memory safety bugs fixed in Firefox 149 and Thunderbird 149 to prevent exploitation.
Implements memory protection controls such as DEP and ASLR to directly prevent unauthorized code execution from memory corruption bugs like those in CVE-2026-4729.
Requires vulnerability scanning to identify the presence of CVE-2026-4729 in deployed Firefox and Thunderbird instances for subsequent remediation.