CVE-2026-4722

Vulnerability

Overview

CVE-2026-4722 is a privilege escalation vulnerability in the Inter-Process Communication (IPC) component of Mozilla Firefox and Thunderbird. The root cause lies in the IPC mechanism's failure to properly enforce security boundaries, allowing a compromised child process to request elevated privileges beyond its intended sandbox level. This flaw can be triggered by a malicious actor who has already achieved limited code execution within a sandboxed process.

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker first needs to gain code execution within a Firefox or Thunderbird child process, for example through a separate memory corruption bug. Once that foothold is established, the flaw in the IPC component can be used to escalate privileges and break out of the sandbox. Notably, in the Thunderbird product, scripting is disabled when reading mail, so the attack surface is reduced in email-only contexts, but the risk remains in browser or browser-like contexts [1].

Impact

Successful exploitation allows an attacker to escape the sandbox and execute arbitrary code with the full privileges of the user running the application. This can lead to complete compromise of the user's system, including data theft, installation of malware, or further lateral movement within a network.

Mitigation

Mozilla has addressed this vulnerability in Firefox 149 and Thunderbird 149, released on March 24, 2026 [1][2]. Users should update their software to the latest version immediately. No workarounds have been published, and the vulnerability is not known to be exploited in the wild at the time of disclosure.