CRITICAL🇵🇱 Wersja polska

CVE-2026-4702

CVSS 9.8v3.1pub. 2026-03-24upd. 2026-04-13

JIT miscompilation in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-843 (Type Confusion) involves incorrect handling of data types by the JavaScript engine JIT compiler. A JIT compilation error can lead to a situation where JavaScript code executed in the browser operates on data in a manner inconsistent with their actual type. An attacker can craft malicious JavaScript code and deliver it to a victim, for example by visiting an appropriately prepared website or opening an email message containing a malicious script.

Impact

Successful exploitation of the vulnerability may allow an attacker to gain full control over the confidentiality, integrity, and availability of the system, including potentially remote code execution (RCE) in the context of the application.

Mitigation & patch

Mozilla Firefox should be updated to version 149 or later, Mozilla Firefox ESR to version 140.9 or later, Mozilla Thunderbird to version 149 or later, and Mozilla Thunderbird ESR to version 140.9 or later. Details are available in Mozilla security advisories (mfsa2026-20, mfsa2026-22, mfsa2026-23, mfsa2026-24).

Who is affected

Mozilla Firefox versions prior to 149, Mozilla Firefox ESR versions prior to 140.9, Mozilla Thunderbird versions prior to 149, and Mozilla Thunderbird ESR versions prior to 140.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.9.0< 149.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...