Login Sign Up

CVE-2026-2798

8.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in Firefox's DOM Core & HTML components that could allow attackers to execute arbitrary code or cause crashes. It affects Firefox versions before 148. Users running vulnerable Firefox versions are at risk when visiting malicious websites.

💻 Affected Systems

Products:
  • Mozilla Firefox
Versions: All versions < 148
Operating Systems: Windows, Linux, macOS, Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: All Firefox installations with default settings are vulnerable. Extensions or security settings don't mitigate this vulnerability.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Browser crash or denial of service, potentially enabling further exploitation through chained vulnerabilities.

🟢

If Mitigated

Limited impact with proper sandboxing and security controls in place, potentially just browser instability.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites without user interaction beyond visiting the site.
🏢 Internal Only: MEDIUM - Requires user to visit malicious internal pages or compromised internal sites.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Use-after-free vulnerabilities typically require specific memory manipulation knowledge but can be reliably exploited once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 148

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-13/

Restart Required: Yes

Instructions:

1. Open Firefox. 2. Click menu → Help → About Firefox. 3. Firefox will check for updates and install Firefox 148. 4. Restart Firefox when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily disable JavaScript to prevent exploitation via malicious websites

about:config → javascript.enabled → false

Use Enhanced Tracking Protection Strict

all

Enable strict tracking protection to block more potentially malicious content

Settings → Privacy & Security → Enhanced Tracking Protection → Strict

🧯 If You Can't Patch

  • Restrict browser usage to trusted websites only
  • Implement network filtering to block access to known malicious domains

🔍 How to Verify

Check if Vulnerable:

Check Firefox version: about:support → Application Basics → Version. If version is less than 148, you are vulnerable.

Check Version:

firefox --version (Linux/macOS) or check about:support (all platforms)

Verify Fix Applied:

Verify Firefox version is 148 or higher in about:support after update.

📡 Detection & Monitoring

Log Indicators:

  • Firefox crash reports with memory access violations
  • Unexpected browser termination events
  • DOM manipulation errors in console logs

Network Indicators:

  • Unusual outbound connections after visiting websites
  • Traffic to known exploit kit domains

SIEM Query:

source="firefox.logs" AND (event_type="crash" OR error="use-after-free" OR error="memory_access")

📊 Metadata

CVE ID: CVE-2026-2798
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2798, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)