CVE-2026-4690Integer Overflow or Wraparound in Mozilla Firefox

CWE-190Integer Overflow or WraparoundCWE-754Improper Check for Unusual or Exceptional ConditionsCWE-120Classic Buffer Overflow13 documents9 sources
Severity
8.6HIGHNVD
EPSS
0.0%
top 94.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Mozilla ThunderbirdMozilla Firefox
Timeline
PublishedMar 24

Description

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:HExploitability: 3.9 | Impact: 4.0

Affected Packages2 packages

NVDmozilla/firefox128.0140.9.0+2
Debianmozilla/thunderbird< 1:140.9.0esr-1~deb11u1+3

🔴Vulnerability Details

3
OSV
CVE-2026-4690: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component2026-03-24
CVEList
Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component2026-03-24
GHSA
GHSA-r7ww-hwqf-cqr6: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component2026-03-24

📋Vendor Advisories

7
Red Hat
firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component2026-03-24
Debian
CVE-2026-4690: firefox - Sandbox escape due to incorrect boundary conditions, integer overflow in the XPC...2026
Mozilla
Mozilla Foundation Security Advisory 2026-21: CVE-2026-4690
Mozilla
Mozilla Foundation Security Advisory 2026-23: CVE-2026-4690
Mozilla
Mozilla Foundation Security Advisory 2026-22: CVE-2026-4690

🕵️Threat Intelligence

1
Wiz
CVE-2026-4690 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-4690 firefox: thunderbird: Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component2026-03-24
CVE-2026-4690 — Integer Overflow or Wraparound | cvebase