Login Sign Up

CVE-2026-2774

9.8 CRITICAL

📋 TL;DR

An integer overflow vulnerability in Firefox's Audio/Video component could allow attackers to execute arbitrary code or cause denial of service. This affects Firefox versions below 148, Firefox ESR below 115.33, and Firefox ESR below 140.8. Users of these vulnerable versions are at risk when visiting malicious websites.

💻 Affected Systems

Products:
  • Mozilla Firefox
  • Mozilla Firefox ESR
Versions: Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment

🟠

Likely Case

Browser crash/denial of service, potential memory corruption leading to limited code execution

🟢

If Mitigated

Browser crash with no further impact if sandboxing and other security controls function properly

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (visiting malicious website). No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-13/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will automatically check for updates and install them. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable Audio/Video Components

all

Temporarily disable vulnerable audio/video processing features

about:config → media.webspeech.synth.enabled → false
about:config → media.webspeech.recognition.enabled → false

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement network filtering to block malicious content delivery

🔍 How to Verify

Check if Vulnerable:

Check Firefox version in menu → Help → About Firefox. If version is below 148 (or ESR below 115.33/140.8), system is vulnerable.

Check Version:

firefox --version

Verify Fix Applied:

After update, verify version shows Firefox 148 or higher, or ESR 115.33/140.8 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Browser crash logs with audio/video component errors
  • Unexpected memory allocation failures in browser processes

Network Indicators:

  • Unusual traffic to/from browser process
  • Suspicious website visits preceding crashes

SIEM Query:

source="firefox.log" AND ("audio" OR "video") AND ("crash" OR "overflow" OR "memory")

📊 Metadata

CVE ID: CVE-2026-2774
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-190
Published: February 24, 2026
Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2774, you might also want to check these:

CVE-2025-64721 10.0

This vulnerability in Sandboxie allows sandboxed processes to exploit an integer overflow in the Sbi...

Same vulnerability type (CWE-190)
CVE-2025-52581 9.8

An integer overflow vulnerability in libbiosig's GDF file parsing allows arbitrary code execution wh...

Same vulnerability type (CWE-190)
CVE-2025-53518 9.8

An integer overflow vulnerability in libbiosig's ABF file parser allows arbitrary code execution whe...

Same vulnerability type (CWE-190)