Mozilla Foundation Security Advisory 2026-20

Security Vulnerabilities fixed in Firefox 149

Announced

March 24, 2026

Impact

high

Products

Firefox

Fixed in

Firefox 149

#CVE-2026-4684: Race condition, use-after-free in the Graphics: WebRender component

Reporter: Oskar L
Impact: high

References

Bug 2011129

#CVE-2026-4685: Incorrect boundary conditions in the Graphics: Canvas2D component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2016349

#CVE-2026-4686: Incorrect boundary conditions in the Graphics: Canvas2D component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2016351

#CVE-2026-4687: Sandbox escape due to incorrect boundary conditions in the Telemetry component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2016368

#CVE-2026-4688: Sandbox escape due to use-after-free in the Disability Access APIs component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2016373

#CVE-2026-4689: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2016374

#CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2016375

#CVE-2026-4691: Use-after-free in the CSS Parsing and Computation component

Reporter: Fabius Artrel
Impact: high

References

Bug 2017512

#CVE-2026-4692: Sandbox escape in the Responsive Design Mode component

Reporter: Tom Ritter
Impact: high

References

Bug 2017643

#CVE-2026-4693: Incorrect boundary conditions in the Audio/Video: Playback component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2018102

#CVE-2026-4694: Incorrect boundary conditions, integer overflow in the Graphics component

Reporter: Sajeeb Lohani
Impact: high

References

Bug 2018430

#CVE-2026-4695: Incorrect boundary conditions in the Audio/Video: Web Codecs component

Reporter: Atte Kettunen
Impact: high

References

Bug 2020030

#CVE-2026-4696: Use-after-free in the Layout: Text and Fonts component

Reporter: Sota Wada
Impact: high

References

Bug 2020190

#CVE-2026-4697: Incorrect boundary conditions in the Audio/Video: Web Codecs component

Reporter: Lorenzo
Impact: high

References

Bug 2020422

#CVE-2026-4698: JIT miscompilation in the JavaScript Engine: JIT component

Reporter: maxpl0it working with Trend Micro Zero Day Initiative
Impact: high

References

Bug 2020906

#CVE-2026-4699: Incorrect boundary conditions in the Layout: Text and Fonts component

Reporter: Matej Smycka
Impact: high

References

Bug 2021863

#CVE-2026-4700: Mitigation bypass in the Networking: HTTP component

Reporter: pizzahunthack1
Impact: moderate

References

Bug 2003766

#CVE-2026-4701: Use-after-free in the JavaScript Engine component

Reporter: Gary Kwong
Impact: moderate

References

Bug 2009303

#CVE-2026-4722: Privilege escalation in the IPC component

Reporter: Nika Layzell
Impact: moderate

References

Bug 2010097

#CVE-2026-4702: JIT miscompilation in the JavaScript Engine component

Reporter: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
Impact: moderate

References

Bug 2013560

#CVE-2026-4723: Use-after-free in the JavaScript Engine component

Reporter: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
Impact: moderate

References

Bug 2013573

#CVE-2026-4724: Undefined behavior in the Audio/Video component

Reporter: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
Impact: moderate

References

Bug 2014865

#CVE-2026-4704: Denial-of-service in the WebRTC: Signaling component

Reporter: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
Impact: moderate

References

Bug 2014868

#CVE-2026-4705: Undefined behavior in the WebRTC: Signaling component

Reporter: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
Impact: moderate

References

Bug 2014873

#CVE-2026-4706: Incorrect boundary conditions in the Graphics: Canvas2D component

Reporter: Jun Yang
Impact: moderate

References

Bug 2015091

#CVE-2026-4707: Incorrect boundary conditions in the Graphics: Canvas2D component

Reporter: Sajeeb Lohani
Impact: moderate

References

Bug 2015267

#CVE-2026-4708: Incorrect boundary conditions in the Graphics component

Reporter: Sajeeb Lohani
Impact: moderate

References

Bug 2015268

#CVE-2026-4709: Incorrect boundary conditions in the Audio/Video: GMP component

Reporter: Sajeeb Lohani
Impact: moderate

References

Bug 2016329

#CVE-2026-4710: Incorrect boundary conditions in the Audio/Video component

Reporter: Sajeeb Lohani
Impact: moderate

References

Bug 2016370

#CVE-2026-4711: Use-after-free in the Widget: Cocoa component

Reporter: Josh Aas
Impact: moderate

References

Bug 2017002

#CVE-2026-4725: Sandbox escape due to use-after-free in the Graphics: Canvas2D component

Reporter: Jun Yang
Impact: moderate

References

Bug 2017108

#CVE-2026-4712: Information disclosure in the Widget: Cocoa component

Reporter: Josh Aas
Impact: moderate

References

Bug 2017666

#CVE-2026-4713: Incorrect boundary conditions in the Graphics component

Reporter: Sajeeb Lohani
Impact: moderate

References

Bug 2018113

#CVE-2026-4714: Incorrect boundary conditions in the Audio/Video component

Reporter: Sajeeb Lohani
Impact: moderate

References

Bug 2018126

#CVE-2026-4715: Uninitialized memory in the Graphics: Canvas2D component

Reporter: Jun Yang
Impact: moderate

References

Bug 2018405

#CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component

Reporter: Pwn2addr
Impact: moderate

References

Bug 2018592

#CVE-2026-4717: Privilege escalation in the Netmonitor component

Reporter: Satoki Tsuji
Impact: moderate

References

Bug 2021695

#CVE-2026-4726: Denial-of-service in the XML component

Reporter: Hanno Boeck
Impact: low

References

Bug 1955311

#CVE-2025-59375: Denial-of-service in the XML component

Reporter: Jan Horak
Impact: low

References

Bug 1988467

#CVE-2026-4727: Denial-of-service in the Libraries component in NSS

Reporter: Cody
Impact: low

References

Bug 2008112

#CVE-2026-4728: Spoofing issue in the Privacy: Anti-Tracking component

Reporter: Aswinkumar Gokulakannan
Impact: low

References

Bug 2013179

#CVE-2026-4718: Undefined behavior in the WebRTC: Signaling component

Reporter: Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
Impact: low

References

Bug 2014864

#CVE-2026-4719: Incorrect boundary conditions in the Graphics: Text component

Reporter: Sajeeb Lohani
Impact: low

References

Bug 2016367

#CVE-2026-4720: Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149

Reporter: Christian Holler, Gabriele Svelto, Tom Schuster and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149

#CVE-2026-4729: Memory safety bugs fixed in Firefox 149 and Thunderbird 149

Reporter: Christian Holler, Fatih Kilic, Tom Schuster and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox 149 and Thunderbird 149

#CVE-2026-4721: Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149

Reporter: Christian Holler, Timothy Nikkel, Tom Schuster and the Mozilla Fuzzing Team
Impact: high

Description

Memory safety bugs present in Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.

References

Memory safety bugs fixed in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149

Firefox browsers

Mozilla VPN

Mozilla Monitor

Firefox Relay

MDN Plus

Thunderbird

Solo

0DIN

Tabstack

About Mozilla

The Mozilla Manifesto

Get Involved

Blog