Cyber Posture

CVE-2026-5732

High

Published: 07 April 2026

Published
07 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0005 14.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5732 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification and remediation of flaws like the integer overflow in Firefox's Graphics: Text component by applying vendor patches such as Firefox 149.0.2.

SI-16 Memory Protection partial match
prevent

SI-16 implements memory protections like ASLR and DEP that mitigate exploitation of the integer overflow vulnerability even if unpatched.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

RA-5 uses vulnerability scanning to detect systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-5732.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Integer overflow in Mozilla Firefox/Thunderbird graphics component enables remote exploitation of client application for code execution with user interaction required, directly mapping to T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Deeper analysisAI

CVE-2026-5732 is an integer overflow vulnerability caused by incorrect boundary conditions in the Graphics: Text component. It affects Mozilla Firefox prior to version 149.0.2, Firefox ESR prior to 140.9.1, Thunderbird prior to 149.0.2, and Thunderbird prior to 140.9.1. The issue is classified under CWE-190 (Integer Overflow or Wraparound).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), denoting high severity. Remote attackers with no privileges can exploit it over the network with low attack complexity, though it requires user interaction. Successful exploitation enables high-impact violations of confidentiality, integrity, and availability.

Mozilla advisories detail the fix in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. Mitigation involves updating to these patched versions. Additional technical details are provided in Mozilla Security Advisories MFSA2026-25, MFSA2026-27, MFSA2026-28, MFSA2026-29, and Bugzilla bug 2017867.

Details

CWE(s)
CWE-190

Affected Products

mozilla
firefox
≤ 140.9.1 · ≤ 149.0.2

CVEs Like This One

CVE-2026-4705Same product: Mozilla Firefox
CVE-2026-6756Same product: Mozilla Firefox
CVE-2026-4690Same product: Mozilla Firefox
CVE-2026-4691Same product: Mozilla Firefox
CVE-2026-4723Same product: Mozilla Firefox
CVE-2026-4688Same product: Mozilla Firefox
CVE-2026-4698Same product: Mozilla Firefox
CVE-2026-2774Same product: Mozilla Firefox
CVE-2026-2781Same product: Mozilla Firefox
CVE-2026-4696Same product: Mozilla Firefox

References