Login Sign Up

CVE-2026-2764

9.8 CRITICAL

📋 TL;DR

This CVE describes a use-after-free vulnerability in Firefox's JavaScript JIT compiler that could allow arbitrary code execution. It affects Firefox versions below 148 and Firefox ESR versions below 115.33 or 140.8. Attackers could exploit this to execute malicious code in the browser context.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Firefox ESR
Versions: Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8
Operating Systems: Windows, Linux, macOS, Android
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special settings required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser compromise allowing session hijacking, credential theft, or malware installation

🟢

If Mitigated

Limited impact with proper sandboxing and exploit mitigations in place

🌐 Internet-Facing: HIGH - Browser vulnerabilities are directly exposed to internet content
🏢 Internal Only: MEDIUM - Internal web applications could still trigger the vulnerability

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

JIT vulnerabilities typically require sophisticated exploitation but can be weaponized once understood

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-13/

Restart Required: Yes

Instructions:

1. Open Firefox menu > Help > About Firefox. 2. Allow automatic update to complete. 3. Restart Firefox when prompted. 4. Verify version is 148 or higher (or ESR 115.33/140.8 or higher).

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript execution in Firefox

about:config > javascript.enabled = false

Use Content Security Policy

all

Implement strict CSP headers to limit script execution

Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

  • Isolate vulnerable browsers using network segmentation
  • Implement application allowlisting to block Firefox execution

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in menu > Help > About Firefox

Check Version:

firefox --version

Verify Fix Applied:

Confirm version is Firefox 148+ or ESR 115.33+/140.8+

📡 Detection & Monitoring

Log Indicators:

  • Firefox crash reports with JIT-related stack traces
  • Unexpected browser process termination

Network Indicators:

  • Unusual outbound connections from browser process
  • Suspicious JavaScript payloads in web traffic

SIEM Query:

process_name="firefox.exe" AND (event_id=1000 OR event_id=1001) AND stack_contains="js::jit"

📊 Metadata

CVE ID: CVE-2026-2764
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: February 24, 2026
Last Updated: February 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2764, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)