Cyber Resilience

CVE-2026-7321

Critical

Published: 28 April 2026

Published
28 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0026 17.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-7321 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Mozilla Firefox. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-7321 is a sandbox escape vulnerability stemming from incorrect boundary conditions, classified under CWE-120 (Buffer Copy without Bounds Check), in the WebRTC Networking component. It affects Mozilla Firefox, Thunderbird, Firefox ESR, and Thunderbird ESR prior to their respective fixed versions: Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird ESR 140.10.1. The vulnerability carries a CVSS v3.1 base score of 9.6, reflecting its critical severity due to network accessibility, low attack complexity, and high potential impact.

An attacker can exploit this vulnerability remotely over the network without privileges by tricking a user into interacting with malicious content, such as visiting a specially crafted webpage that triggers the WebRTC Networking flaw. Successful exploitation changes the scope from the sandboxed context to the broader system, granting high confidentiality, integrity, and availability impacts, potentially allowing arbitrary code execution, data theft, or full system compromise on the targeted machine.

Mozilla's security advisories (MFSA 2026-30, 2026-33, 2026-36, and 2026-39) and the associated Bugzilla entry (bug 2029461) confirm the issue was addressed in the specified versions. Security practitioners should prioritize updating affected browsers and email clients to the patched releases, disable WebRTC if not required, and educate users on avoiding suspicious links or media streams.

EU & UK References

Vulnerability details

Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Thunderbird 140.10.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The CVE describes a browser sandbox escape via buffer overflow in WebRTC, triggered by visiting a malicious webpage, directly enabling Drive-by Compromise (T1189) for initial access and Exploitation for Client Execution (T1203) to achieve arbitrary code execution outside the sandbox.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4720Same product: Mozilla Firefox
CVE-2026-4721Same product: Mozilla Firefox
CVE-2026-4729Same product: Mozilla Firefox
CVE-2026-2790Same product: Mozilla Firefox
CVE-2025-1011Same product: Mozilla Firefox
CVE-2026-6751Same product: Mozilla Firefox
CVE-2026-2795Same product: Mozilla Firefox
CVE-2026-2775Same product: Mozilla Firefox
CVE-2026-6783Same product: Mozilla Firefox
CVE-2025-1942Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.1 · ≤ 150.0
mozilla
thunderbird
≤ 140.10.1 · ≤ 150.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of flaws like the buffer copy without bounds check in the WebRTC networking component via timely patching.

prevent

Prohibits or restricts unnecessary functions such as WebRTC to eliminate exposure to the vulnerable networking component.

prevent

Implements memory safeguards that protect against unauthorized code execution stemming from the boundary condition error in WebRTC.

References