CVE-2026-4716

CWE-908 — Use of Uninitialized Resource CWE-82412 documents9 sources

Severity

9.1CRITICAL

EPSS

0.0%

top 93.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mozilla Firefox Mozilla Firefox ESR Mozilla Thunderbird

Timeline

PublishedMar 24

Description

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages6 packages

▶CVEListV5mozilla/firefoxunspecified — 149

▶NVDmozilla/firefox< 140.9.0+1

▶CVEListV5mozilla/firefox_esrunspecified — 140.9

▶CVEListV5mozilla/thunderbirdunspecified — 149+1

▶Debianfirefox-esr< 140.9.0esr-1~deb11u1+3

🔴Vulnerability Details

GHSA

GHSA-r67f-xmr7-94cc: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component↗2026-03-24

▶

OSV

CVE-2026-4716: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component↗2026-03-24

▶

CVEList

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component↗2026-03-24

▶

📋Vendor Advisories

Red Hat

firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component↗2026-03-24

▶

Debian

CVE-2026-4716: firefox - Incorrect boundary conditions, uninitialized memory in the JavaScript Engine com...↗2026

▶

Mozilla

Mozilla Foundation Security Advisory 2026-20: CVE-2026-4716↗

▶

Mozilla

Mozilla Foundation Security Advisory 2026-22: CVE-2026-4716↗

▶

Mozilla

Mozilla Foundation Security Advisory 2026-24: CVE-2026-4716↗

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4716 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-4716 firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component↗2026-03-24

▶