{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2794", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-02-19T15:06:38.903Z", "datePublished": "2026-02-24T13:33:25.399Z", "dateUpdated": "2026-04-13T13:54:08.870Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "148", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148."}]}], "title": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2008365"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-13/"}], "credits": [{"lang": "en", "value": "Steven Julian"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:08.870Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-908", "lang": "en", "description": "CWE-908 Use of Uninitialized Resource"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T20:18:03.470831Z", "id": "CVE-2026-2794", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:18:07.820Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2794", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T20:18:03.470831Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-908", "description": "CWE-908 Use of Uninitialized Resource"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:17:54.804Z"}}], "cna": {"title": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android", "credits": [{"lang": "en", "value": "Steven Julian"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "148", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2008365"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-13/"}], "descriptions": [{"lang": "en", "value": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.", "supportingMedia": [{"type": "text/html", "value": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:08.870Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2794", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:54:08.870Z", "dateReserved": "2026-02-19T15:06:38.903Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-02-24T13:33:25.399Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "3D8676DB-4A12-41A0-A1A5-2DED97287973", "versionEndExcluding": "148.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 148."}, {"lang": "es", "value": "Revelaci\u00f3n de informaci\u00f3n debida a memoria no inicializada en Firefox y Firefox Focus para Android. Esta vulnerabilidad afecta a Firefox < 148."}], "id": "CVE-2026-2794", "lastModified": "2026-04-13T15:17:28.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-24T14:16:27.897", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2008365"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-13/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-908"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-908"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Information disclosure due to uninitialized memory in Firefox and Firefox Focus for Android", "id": "2442286", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442286"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["No description is available for this CVE."], "name": "CVE-2026-2794", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-24T13:33:25Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2794\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2794\nhttps://www.mozilla.org/security/advisories/mfsa2026-13/#CVE-2026-2794"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,148)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-15T16:55:51.531131+00:00", "value": {"mitigation_remediation": ["Upgrade Mozilla Firefox to version 148 or newer, which removes the uninitialized memory handling bug and prevents information disclosure.", "For Firefox Focus users, confirm that the latest security update is installed on their Android device, either through the Google Play Store or direct Mozilla update channels.", "If immediate upgrade is not possible, monitor for any local triggers that might expose sensitive memory and avoid browsing sites that may exploit the memory path while awaiting the official patch."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects Mozilla Firefox on desktop and Firefox Focus on Android. All builds released prior to Firefox 148 contain the defect, as the fix was introduced in that version. Users of earlier releases are at risk until they upgrade.", "description_and_impact": "Uninitialized memory in Firefox and Firefox Focus for Android can lead to accidental exposure of private data such as browsing history, cookies, or stored credentials. The bug is classified as CWE\u2011908, Improper Memory Management, because the browser does not clear memory buffers before reuse, allowing an attacker to read residual data after a view or component is no longer in use. The vulnerability does not require code execution or elevated privileges, but it can compromise confidentiality of user information.", "risk_and_exploitability": "With a CVSS score of 6.5, the vulnerability is considered moderate, primarily affecting the confidentiality of user data due to a CWE\u2011908, Improper Memory Management flaw. The EPSS score of less than 1% and absence from CISA\u2019s KEV catalog suggest that exploitation of this flaw is unlikely in the wild. The attack vector is not explicitly detailed in the available data; based on the description, it is inferred that the leak may be triggered by local user interaction or a malicious web page that causes the browser to access uninitialized memory. This does not require code execution or elevated privileges, and the impact is limited to information disclosure."}}}}, "created": "2026-02-25T11:39:16.202746+00:00", "updated": "2026-04-15T17:15:10.548361+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}