CVE-2026-4716 - Vulnerability Details

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Mozilla	Firefox Firefox Esr

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*

No data.

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2018592
https://nvd.nist.gov/vuln/detail/CVE-2026-4716
https://www.cve.org/CVERecord?id=CVE-2026-4716
https://www.mozilla.org/security/advisories/mfsa2026-20/
https://www.mozilla.org/security/advisories/mfsa2026-22/
https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2026-4716
https://www.mozilla.org/security/advisories/mfsa2026-23/
https://www.mozilla.org/security/advisories/mfsa2026-24/
https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2026-4716

History

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description	Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.	Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Thu, 26 Mar 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-824
References		https://nvd.nist.gov/vuln/detail/CVE-2026-4716 https://www.cve.org/CVERecord?id=CVE-2026-4716 https://www.mozilla.org/security/advisories/mfsa2026-22/#CVE-2026-4716 https://www.mozilla.org/security/advisories/mfsa2026-24/#CVE-2026-4716
Metrics	threat_severity `None`	threat_severity `Moderate`

Wed, 25 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla firefox Esr
Vendors & Products		Mozilla firefox Esr

Tue, 24 Mar 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Weaknesses		CWE-908
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::*
Vendors & Products		Mozilla Mozilla firefox
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Tue, 24 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.	Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.
References		https://www.mozilla.org/security/advisories/mfsa2026-23/ https://www.mozilla.org/security/advisories/mfsa2026-24/

Tue, 24 Mar 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149 and Firefox ESR < 140.9.
Title		Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2018592 https://www.mozilla.org/security/advisories/mfsa2026-20/ https://www.mozilla.org/security/advisories/mfsa2026-22/

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-03-24T12:30:39.453Z

Updated: 2026-04-13T13:51:01.318Z

Reserved: 2026-03-23T23:22:33.703Z

Link: CVE-2026-4716

Vulnrichment

Updated: 2026-03-25T19:24:48.332Z

NVD

Status : Modified

Published: 2026-03-24T13:16:07.503

Modified: 2026-04-13T15:17:43.250

Link: CVE-2026-4716

Redhat

Severity : Moderate

Publid Date: 2026-03-24T12:30:39Z

Links: CVE-2026-4716 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object