Cyber Resilience

CVE-2026-5732

HighUpdated

Published: 07 April 2026

Published
07 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0027 17.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5732 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 17.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-5732 is an integer overflow vulnerability caused by incorrect boundary conditions in the Graphics: Text component. It affects Mozilla Firefox prior to version 149.0.2, Firefox ESR prior to 140.9.1, Thunderbird prior to 149.0.2, and Thunderbird prior to 140.9.1. The issue is classified under CWE-190 (Integer Overflow or Wraparound).

The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), denoting high severity. Remote attackers with no privileges can exploit it over the network with low attack complexity, though it requires user interaction. Successful exploitation enables high-impact violations of confidentiality, integrity, and availability.

Mozilla advisories detail the fix in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. Mitigation involves updating to these patched versions. Additional technical details are provided in Mozilla Security Advisories MFSA2026-25, MFSA2026-27, MFSA2026-28, MFSA2026-29, and Bugzilla bug 2017867.

EU & UK References

Vulnerability details

Incorrect boundary conditions, integer overflow in the Graphics: Text component. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Integer overflow in Mozilla Firefox/Thunderbird graphics component enables remote exploitation of client application for code execution with user interaction required, directly mapping to T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6756Same product: Mozilla Firefox
CVE-2026-4705Same product: Mozilla Firefox
CVE-2026-8949Same product: Mozilla Firefox
CVE-2026-4690Same product: Mozilla Firefox
CVE-2026-4700Same product: Mozilla Firefox
CVE-2026-8389Same product: Mozilla Firefox
CVE-2026-8956Same product: Mozilla Firefox
CVE-2026-4691Same product: Mozilla Firefox
CVE-2026-2762Same product: Mozilla Firefox
CVE-2026-2774Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.9.1 · ≤ 149.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification and remediation of flaws like the integer overflow in Firefox's Graphics: Text component by applying vendor patches such as Firefox 149.0.2.

prevent

SI-16 implements memory protections like ASLR and DEP that mitigate exploitation of the integer overflow vulnerability even if unpatched.

detect

RA-5 uses vulnerability scanning to detect systems running vulnerable versions of Firefox or Thunderbird affected by CVE-2026-5732.

References