CRITICAL🇵🇱 Wersja polska

CVE-2026-2785

CVSS 9.8v3.1pub. 2026-02-24upd. 2026-04-13

Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

🤖 AI Analysis
How it works

The bug consists of using an invalid (uninitialized or invalidated) pointer in the JavaScript engine component. Incorrect access to such a pointer can lead to memory corruption of the process. An attacker can provide specially crafted JavaScript code (e.g., through a malicious website or email message) that triggers this error.

Impact

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code remotely (RCE) in the context of the application, as well as compromise the confidentiality, integrity, and availability of the system.

Mitigation & patch

Update to Firefox 148, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8, in which the vulnerability has been fixed. Patches are available in the vendor references (mozilla.org/security/advisories).

Who is affected

Mozilla Firefox (versions prior to 148), Mozilla Firefox ESR (versions prior to 140.8), Mozilla Thunderbird (versions prior to 148), Mozilla Thunderbird ESR (versions prior to 140.8)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.8.0< 148.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.8.0< 148.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...