{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2804", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-02-19T15:07:01.585Z", "datePublished": "2026-02-24T13:33:32.144Z", "dateUpdated": "2026-04-13T13:54:33.221Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "148", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "148", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148."}]}], "title": "Use-after-free in the JavaScript: WebAssembly component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013584"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-13/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-16/"}], "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:33.221Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T15:55:39.007594Z", "id": "CVE-2026-2804", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:56:04.804Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2804", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T15:55:39.007594Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T15:55:59.764Z"}}], "cna": {"title": "Use-after-free in the JavaScript: WebAssembly component", "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "148", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "148", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013584"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-13/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-16/"}], "descriptions": [{"lang": "en", "value": "Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.", "supportingMedia": [{"type": "text/html", "value": "Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:54:33.221Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2804", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:54:33.221Z", "dateReserved": "2026-02-19T15:07:01.585Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-02-24T13:33:32.144Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "3D8676DB-4A12-41A0-A1A5-2DED97287973", "versionEndExcluding": "148.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "matchCriteriaId": "C5EBE90D-1996-4578-B715-605B24E66C59", "versionEndExcluding": "148.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 148 and Thunderbird 148."}, {"lang": "es", "value": "Uso despu\u00e9s de liberaci\u00f3n en el componente JavaScript: WebAssembly. Esta vulnerabilidad afecta a Firefox < 148 y Thunderbird < 148."}], "id": "CVE-2026-2804", "lastModified": "2026-04-13T15:17:31.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-02-24T14:16:28.917", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013584"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-13/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-16/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: thunderbird: Use-after-free in the JavaScript: WebAssembly component", "id": "2442332", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442332"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "details": ["Use-after-free in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 148 and Thunderbird < 148."], "name": "CVE-2026-2804", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/thunderbird-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "thunderbird", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-24T13:33:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2804\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2804\nhttps://www.mozilla.org/security/advisories/mfsa2026-13/#CVE-2026-2804\nhttps://www.mozilla.org/security/advisories/mfsa2026-16/#CVE-2026-2804"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,148)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,148)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Thunderbird", "source": "cna", "vendor": "Mozilla"}, "product": "thunderbird", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-15T15:21:57.490124+00:00", "value": {"mitigation_remediation": ["Apply the latest supported Mozilla Firefox release, ensuring it is at least version 148 or newer.", "Apply the latest supported Mozilla Thunderbird release, ensuring it is at least version 148 or newer.", "Keep the browsers up to date by enabling automatic updates or regularly checking Mozilla\u2019s security advisories, and if an immediate update is not possible, consider restricting or blocking WebAssembly execution."], "summary": {"action": "Apply Patch", "impact": "Potential Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability touches Mozilla\u2019s Firefox and Thunderbird browsers. Versions prior to 148 are susceptible; the issue was patched in Firefox\u202f148 and Thunderbird\u202f148. The affected releases are those listed by the CPE identifiers or by the vendor product names above.", "description_and_impact": "The flaw occurs in the JavaScript WebAssembly handler where an object is freed too early while still referenced, creating a use\u2011after\u2011free condition. This weakness (CWE\u2011416) allows memory corruption if an attacker supplies crafted WebAssembly code that can be executed in the context of the JavaScript engine. The description does not detail a confirmed exploit, but such a condition can potentially lead to arbitrary code execution or denial of service within the affected application.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. EPSS is under 1\u2009%, implying that market exploitation is unlikely at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation would require an attacker to deliver malicious WebAssembly payload to the victim\u2019s browser, which typically means a compromised site or social engineering. Given the low EPSS, the actual risk for most users is low, but the existence of a use\u2011after\u2011free flaw warrants patching."}}}}, "created": "2026-02-25T11:39:07.247125+00:00", "updated": "2026-04-15T17:00:07.089928+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$thunderbird"], "weaknesses": ["CWE-416"]}