Login Sign Up

CVE-2026-24868

6.5 MEDIUM

📋 TL;DR

This CVE describes a mitigation bypass vulnerability in Firefox's Privacy: Anti-Tracking component that could allow attackers to circumvent privacy protections. It affects Firefox versions below 147.0.2, potentially exposing users to enhanced tracking despite anti-tracking features being enabled.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: All versions < 147.0.2
Operating Systems: Windows, macOS, Linux, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all Firefox installations with default privacy settings. Enhanced Tracking Protection must be enabled for the vulnerability to be exploitable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass all privacy protections, enabling comprehensive user tracking, data collection, and potential correlation of browsing activities across sessions.

🟠

Likely Case

Targeted tracking of specific users or sessions, allowing advertisers or malicious actors to build more complete user profiles despite anti-tracking measures.

🟢

If Mitigated

Limited tracking capabilities with some privacy protections still functioning, though certain bypass methods may succeed.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website) but no authentication. Technical details suggest moderate complexity for reliable exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 147.0.2

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-06/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will automatically check for updates and prompt to install version 147.0.2. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation vectors

about:config → javascript.enabled = false

Use Private Browsing Mode

all

Private browsing may limit tracking impact

Ctrl+Shift+P (Windows/Linux) or Cmd+Shift+P (macOS)

🧯 If You Can't Patch

  • Use alternative browsers with updated privacy protections
  • Implement network-level tracking protection via proxy or firewall

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in Help → About Firefox. If version is less than 147.0.2, system is vulnerable.

Check Version:

firefox --version

Verify Fix Applied:

Confirm Firefox version is 147.0.2 or higher in Help → About Firefox.

📡 Detection & Monitoring

Log Indicators:

  • Unusual tracking cookie persistence
  • Multiple third-party domain requests from single sessions

Network Indicators:

  • Increased third-party tracker connections
  • Unusual cookie synchronization patterns

SIEM Query:

source="firefox.log" AND ("tracking" OR "privacy") AND version<"147.0.2"

📊 Metadata

CVE ID: CVE-2026-24868
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE: CWE-693
EPSS Score: 0.04% exploit probability (12.8th percentile)
Published: January 27, 2026
Last Updated: February 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24868, you might also want to check these:

CVE-2023-31273 10.0

This vulnerability in Intel Data Center Manager (DCM) software allows unauthenticated attackers to b...

Same vulnerability type (CWE-693)
CVE-2021-32835 9.9

CVE-2021-32835 is a sandbox escape vulnerability in Eclipse Keti that allows authenticated attackers...

Same vulnerability type (CWE-693)
CVE-2025-68668 9.9

This CVE describes a sandbox bypass vulnerability in n8n's Python Code Node that allows authenticate...

Same vulnerability type (CWE-693)