CVE-2026-4717
Description
Privilege escalation in the Netmonitor component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A critical privilege escalation vulnerability in the Netmonitor component of Firefox and Thunderbird allows an attacker to gain elevated access. The bug is fixed in Firefox 149 and ESR 140.9 and Thunderbird 149 and 140.9
CVE-2026-4717 is a critical privilege escalation vulnerability in the Netmonitor component of Firefox and Thunderbird. Root cause analysis is not disclosed in the advisories but the flaw allows a low-privileged attacker to escalate privileges to a higher level within the browser or mail client environment.
The attack surface is browser-like contexts in Firefox and potentially in Thunderbird when scripting is enabled for mail reading. The vulnerability has a CVSS v3 score of 9.8 indicating it can be exploited remotely without authentication and without user interaction in some scenarios. Advisories note that these flaws cannot typically be exploited through email in Thunderbird because scripting is disabled when reading mail but remain a risk in browser or browser-like browser contexts.
Successful exploitation could allow an attacker to gain elevated privileges within the application potentially leading to arbitrary code execution sandbox escape or access to sensitive data. The impact is high as it enables attackers to bypass security boundaries and compromise the host system.
Mozilla has fixed this vulnerability in Firefox 149 and Firefox ESR 140.9 and Thunderbird 149 and Thunderbird 140.9 released on March 24 2026. Users and administrators should update to the patched versions immediately No workarounds are available
[1] [2] [3] [4]
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <149.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.9.0
- (no CPE)range: <149 (Firefox) / <140.9 (Firefox ESR)
- Range: <149 (Thunderbird) / <140.9 (Thunderbird ESR)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2026-20/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-22/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
- www.mozilla.org/security/advisories/mfsa2026-23/nvd
- www.mozilla.org/security/advisories/mfsa2026-24/nvd
News mentions
0No linked articles in our index yet.