CVE-2026-2785
published 2026-02-24CVE-2026-2785: Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | firefox | < firefox 148.0-1 (sid) | firefox 148.0-1 (sid) |
| debian | firefox-esr | < firefox 148.0-1 (sid) | firefox 148.0-1 (sid) |
| debian | thunderbird | < firefox 148.0-1 (sid) | firefox 148.0-1 (sid) |
| mozilla | firefox | < 140.8.0 | 140.8.0 |
| mozilla | firefox | < 148.0 | 148.0 |
| mozilla | firefox | — | — |
| mozilla | thunderbird | < 140.8.0 | 140.8.0 |
| mozilla | thunderbird | < 148.0 | 148.0 |
| mozilla | thunderbird | >= 0 < 1:140.8.0esr-1~deb11u1 | 1:140.8.0esr-1~deb11u1 |
| mozilla | thunderbird | >= 0 < 1:140.8.0esr-1~deb12u1 | 1:140.8.0esr-1~deb12u1 |
| mozilla | thunderbird | >= 0 < 1:140.8.0esr-1~deb13u1 | 1:140.8.0esr-1~deb13u1 |
| mozilla | thunderbird | >= 0 < 1:140.8.0esr-1 | 1:140.8.0esr-1 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL