Login Sign Up

CVE-2026-2758

9.8 CRITICAL

📋 TL;DR

A use-after-free vulnerability in Firefox's JavaScript garbage collector component allows attackers to execute arbitrary code by manipulating memory after it has been freed. This affects Firefox versions below 148, Firefox ESR below 115.33, and Firefox ESR below 140.8. Users visiting malicious websites could have their systems compromised.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Firefox ESR
Versions: Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8
Operating Systems: Windows, Linux, macOS, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash or arbitrary code execution within browser context, potentially leading to credential theft or malware installation.

🟢

If Mitigated

Limited impact with proper browser sandboxing and security controls, potentially just browser crash.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without user interaction beyond visiting the site.
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal site or click malicious link.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Use-after-free vulnerabilities typically require precise memory manipulation but are commonly exploited in browser attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-13/

Restart Required: Yes

Instructions:

1. Open Firefox menu > Help > About Firefox. 2. Allow browser to check for updates. 3. Restart Firefox when prompted. 4. Verify version is 148 or higher (or ESR 115.33/140.8 or higher).

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution to prevent exploitation

about:config > javascript.enabled = false

Use Content Security Policy

all

Implement strict CSP headers to limit script execution

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in menu > Help > About Firefox

Check Version:

firefox --version

Verify Fix Applied:

Confirm version is Firefox 148+ or ESR 115.33+/140.8+

📡 Detection & Monitoring

Log Indicators:

  • Browser crash reports with memory access violations
  • Unusual JavaScript execution patterns

Network Indicators:

  • Requests to known malicious domains with JavaScript payloads

SIEM Query:

source="firefox.log" AND ("access violation" OR "segmentation fault")

📊 Metadata

CVE ID: CVE-2026-2758
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: February 24, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2758, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)