Critical severity9.8NVD Advisory· Published Mar 24, 2026· Updated Apr 13, 2026
CVE-2026-4691
CVE-2026-4691
Description
Use-after-free in the CSS Parsing and Computation component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
Affected products
2cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.34.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <149.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2026-20/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-21/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-22/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- www.mozilla.org/security/advisories/mfsa2026-23/nvd
- www.mozilla.org/security/advisories/mfsa2026-24/nvd
News mentions
0No linked articles in our index yet.