CRITICAL🇵🇱 Wersja polska

CVE-2026-2759

CVSS 9.8v3.1pub. 2026-02-24upd. 2026-06-30

Incorrect boundary conditions in the Graphics: ImageLib component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

🤖 AI Analysis
How it works

The error lies in improper verification of boundary conditions in the ImageLib library responsible for graphics processing. Incorrect boundary handling can lead to memory operations outside the permitted range when processing specially crafted image files or graphic content. A network attack vector (AV:N) without authentication requirements (PR:N) and user interaction (UI:N) means that simply visiting a malicious website or opening a crafted message may be sufficient to trigger the vulnerability.

Impact

Successful exploitation of this vulnerability may enable an attacker to gain full control over the confidentiality, integrity, and availability of the system — which corresponds to a High rating in all three CVSS categories. In practice, this may result in remote code execution (RCE) in the context of a browser or mail client process.

Mitigation & patch

Software must be updated immediately to the following patched versions: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8. Patches are available through Mozilla's automatic update mechanism and on official product websites.

Who is affected

Mozilla Firefox versions prior to 148 and Firefox ESR versions prior to 115.33 and 140.8, as well as Mozilla Thunderbird versions prior to 148 and Thunderbird 140.8.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.33.0< 148.0128.0 – 140.8.0 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.8.0< 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...