Published under advisory MFSA 2026-20, the security update carries an overall “high” impact rating from Mozilla. The 37 CVEs are distributed across three severity tiers: 16 rated high, 17 rated moderate, and 4 rated low.
Among the most alarming findings are six confirmed sandbox escape vulnerabilities, a class of flaw that allows attackers to break out of Firefox’s isolation boundary and execute arbitrary code directly on the host system.
The most critical vulnerabilities fixed in this release include multiple memory corruption and sandbox escape issues. CVE-2026-4684 involves a race condition and use-after-free in the Graphics: WebRender component, reported by Oskar L.
CVE-2026-4687, CVE-2026-4688, CVE-2026-4689, and CVE-2026-4690 are all sandbox escape flaws found in the Telemetry, Disability Access APIs, and XPCOM components, each carrying a high severity rating and reported by researcher Sajeeb Lohani.
CVE-2026-4698, a JIT miscompilation bug in the JavaScript Engine, was discovered by maxpl0it working with Trend Micro’s Zero Day Initiative and poses a high risk of arbitrary code execution.
Three memory safety rollup vulnerabilities, CVE-2026-4720, CVE-2026-4721, and CVE-2026-4729, round out the high-severity tier, with Mozilla noting that “some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.”
A notable milestone in this advisory is the contribution from a research team, Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger, who used Claude from Anthropic to discover six vulnerabilities.
These include CVE-2026-4702 (JIT miscompilation), CVE-2026-4723 (use-after-free in the JavaScript Engine), CVE-2026-4724 (undefined behavior in Audio/Video), and multiple WebRTC Signaling issues. This marks a notable milestone as the first multi-CVE AI-assisted contribution to a major browser security advisory.
| CVE ID | Vulnerability Description | Severity | Reporter |
|---|---|---|---|
| CVE-2026-4684 | Race condition, use-after-free | High | Oskar L |
| CVE-2026-4685 | Incorrect boundary conditions | High | Sajeeb Lohani |
| CVE-2026-4686 | Incorrect boundary conditions | High | Sajeeb Lohani |
| CVE-2026-4687 | Sandbox escape via incorrect boundary conditions | High | Sajeeb Lohani |
| CVE-2026-4688 | Sandbox escape via use-after-free | High | Sajeeb Lohani |
| CVE-2026-4689 | Sandbox escape via incorrect boundary conditions, integer overflow | High | Sajeeb Lohani |
| CVE-2026-4690 | Sandbox escape via incorrect boundary conditions, integer overflow | High | Sajeeb Lohani |
| CVE-2026-4691 | Use-after-free | High | Fabius Artrel |
| CVE-2026-4692 | Sandbox escape | High | Tom Ritter |
| CVE-2026-4693 | Incorrect boundary conditions | High | Sajeeb Lohani |
| CVE-2026-4694 | Incorrect boundary conditions, integer overflow | High | Sajeeb Lohani |
| CVE-2026-4695 | Incorrect boundary conditions | High | Atte Kettunen |
| CVE-2026-4696 | Use-after-free | High | Sota Wada |
| CVE-2026-4697 | Incorrect boundary conditions | High | Lorenzo |
| CVE-2026-4698 | JIT miscompilation | High | maxpl0it (Trend Micro ZDI) |
| CVE-2026-4699 | Incorrect boundary conditions | High | Matej Smycka |
| CVE-2026-4720 | Memory safety bugs (memory corruption / arbitrary code execution) | High | Christian Holler, Gabriele Svelto, Tom Schuster & Mozilla Fuzzing Team |
| CVE-2026-4729 | Memory safety bugs (memory corruption / arbitrary code execution) | High | Christian Holler, Fatih Kilic, Tom Schuster & Mozilla Fuzzing Team |
| CVE-2026-4721 | Memory safety bugs (memory corruption / arbitrary code execution) | High | Christian Holler, Timothy Nikkel, Tom Schuster & Mozilla Fuzzing Team |
| CVE-2026-4700 | Mitigation bypass | Moderate | pizzahunthack1 |
| CVE-2026-4701 | Use-after-free | Moderate | Gary Kwong |
| CVE-2026-4722 | Privilege escalation | Moderate | Nika Layzell |
| CVE-2026-4702 | JIT miscompilation | Moderate | Ben Asher et al. (via Claude/Anthropic) |
| CVE-2026-4723 | Use-after-free | Moderate | Ben Asher et al. (via Claude/Anthropic) |
| CVE-2026-4724 | Undefined behavior | Moderate | Ben Asher et al. (via Claude/Anthropic) |
| CVE-2026-4704 | Denial of service | Moderate | Ben Asher et al. (via Claude/Anthropic) |
| CVE-2026-4705 | Undefined behavior | Moderate | Ben Asher et al. (via Claude/Anthropic) |
| CVE-2026-4706 | Incorrect boundary conditions | Moderate | Jun Yang |
| CVE-2026-4707 | Incorrect boundary conditions | Moderate | Sajeeb Lohani |
| CVE-2026-4708 | Incorrect boundary conditions | Moderate | Sajeeb Lohani |
| CVE-2026-4709 | Incorrect boundary conditions | Moderate | Sajeeb Lohani |
| CVE-2026-4710 | Incorrect boundary conditions | Moderate | Sajeeb Lohani |
| CVE-2026-4711 | Use-after-free | Moderate | Josh Aas |
| CVE-2026-4725 | Sandbox escape via use-after-free | Moderate | Jun Yang |
| CVE-2026-4712 | Information disclosure | Moderate | Josh Aas |
| CVE-2026-4713 | Incorrect boundary conditions | Moderate | Sajeeb Lohani |
| CVE-2026-4714 | Incorrect boundary conditions | Moderate | Sajeeb Lohani |
| CVE-2026-4715 | Uninitialized memory | Moderate | Jun Yang |
| CVE-2026-4716 | Incorrect boundary conditions, uninitialized memory | Moderate | Pwn2addr |
| CVE-2026-4717 | Privilege escalation | Moderate | Satoki Tsuji |
| CVE-2026-4726 | Denial of service | Low | Hanno Boeck |
| CVE-2025-59375 | Denial of service | Low | Jan Horak |
| CVE-2026-4727 | Denial of service | Low | Cody |
| CVE-2026-4728 | Spoofing | Low | Aswinkumar Gokulakannan |
| CVE-2026-4718 | Undefined behavior | Low | Ben Asher et al. (via Claude/Anthropic) |
| CVE-2026-4719 | Incorrect boundary conditions | Low | Sajeeb Lohani |
The moderate-severity tier features a broad range of issues across the Canvas2D, Graphics, Audio/Video, and JavaScript Engine components. CVE-2026-4725 is a sandbox escape via use-after-free in the Canvas2D component, reported by Jun Yang.
CVE-2026-4717 allows privilege escalation in the Netmonitor component, discovered by Satoki Tsuji. Low-severity fixes include denial-of-service bugs in the XML and NSS libraries (CVE-2026-4726, CVE-2025-59375, CVE-2026-4727) and a spoofing issue in the Privacy: Anti-Tracking component (CVE-2026-4728), reported by Aswinkumar Gokulakannan.
All vulnerabilities affect Firefox versions prior to 149. Firefox ESR 140.9 and Firefox ESR 115.34 also received corresponding patches for a subset of these flaws. Users are strongly advised to update to Firefox 149 immediately via the browser’s built-in updater or by downloading directly from Mozilla’s official website.
Organizations managing enterprise deployments should prioritize patching, given the presence of multiple sandbox-escape and remote-code-execution vectors in this release.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Firefox 149 Released With Patch for 37 Vulnerabilities that Enables Remote Attacks appeared first on Cyber Security News.
The global energy industry has long depended on seismic data to locate oil and gas…
Artificial intelligence is quietly transforming every corner of modern industry. From predictive maintenance in heavy…
Additive manufacturing has always lived in a bit of a gray area. Some see it…
The global energy industry has long depended on seismic data to locate oil and gas…
Artificial intelligence is quietly transforming every corner of modern industry. From predictive maintenance in heavy…
Additive manufacturing has always lived in a bit of a gray area. Some see it…
This website uses cookies.