Login Sign Up

CVE-2026-2634

9.8 CRITICAL

📋 TL;DR

This vulnerability in Firefox for iOS allows malicious scripts to desynchronize the address bar from actual web content before a server response arrives. Attackers can present their own pages under spoofed domain names, potentially tricking users into interacting with malicious sites. Only Firefox for iOS users running versions below 147.4 are affected.

💻 Affected Systems

Products:
  • Firefox for iOS
Versions: All versions < 147.4
Operating Systems: iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Firefox browser on iOS devices; other browsers and platforms are not vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users could be tricked into entering sensitive information (passwords, financial data) into attacker-controlled pages that appear to be legitimate websites, leading to credential theft, financial fraud, or malware installation.

🟠

Likely Case

Attackers create convincing phishing pages that appear to be legitimate sites (like banks or social media), tricking users into submitting login credentials or personal information.

🟢

If Mitigated

With proper user awareness training and browser security features enabled, users might notice inconsistencies or be prompted for suspicious activity, reducing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (visiting a malicious website) but no authentication. The vulnerability is in the browser's UI synchronization logic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 147.4

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-12/

Restart Required: Yes

Instructions:

1. Open the App Store on your iOS device. 2. Search for Firefox. 3. Tap 'Update' to install version 147.4 or later. 4. Restart Firefox after update completes.

🔧 Temporary Workarounds

Use alternative browser

all

Temporarily switch to a different browser (like Safari or Chrome) until Firefox is updated.

Disable JavaScript

all

Disabling JavaScript in Firefox settings may prevent exploitation but will break many websites.

🧯 If You Can't Patch

  • Educate users to verify URLs carefully before entering sensitive information
  • Implement web filtering to block known malicious domains

🔍 How to Verify

Check if Vulnerable:

Open Firefox on iOS, go to Settings > About Firefox, and check if version is below 147.4.

Check Version:

Not applicable for iOS (use Settings menu)

Verify Fix Applied:

After updating, confirm version is 147.4 or higher in Settings > About Firefox.

📡 Detection & Monitoring

Log Indicators:

  • Unusual browser crashes or unexpected domain changes in user browsing patterns

Network Indicators:

  • Requests to suspicious domains that don't match address bar URLs

SIEM Query:

Not typically applicable for mobile browser vulnerabilities

📊 Metadata

CVE ID: CVE-2026-2634
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-451
Published: February 24, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2634, you might also want to check these:

CVE-2025-8043 9.8

This vulnerability involves incorrect URL truncation in Firefox and Thunderbird, which could allow a...

Same vulnerability type (CWE-451)
CVE-2026-0906 9.8

This vulnerability allows attackers to spoof the URL bar (Omnibox) in Google Chrome on Android, pote...

Same vulnerability type (CWE-451)
CVE-2026-0907 9.8

This vulnerability allows attackers to spoof the user interface in Chrome's Split View mode, potenti...

Same vulnerability type (CWE-451)