{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3845", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-09T19:29:38.565Z", "datePublished": "2026-03-10T15:03:48.867Z", "dateUpdated": "2026-04-13T13:53:59.701Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "148.0.2", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2."}]}], "title": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020174"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-19/"}], "credits": [{"lang": "en", "value": "Crixer"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:53:59.701Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-3845"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T03:56:41.516Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3845", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T15:32:16.806193Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T15:32:06.470Z"}}], "cna": {"title": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android", "credits": [{"lang": "en", "value": "Crixer"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "148.0.2", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020174"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-19/"}], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2.", "supportingMedia": [{"type": "text/html", "value": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:53:59.701Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3845", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:53:59.701Z", "dateReserved": "2026-03-09T19:29:38.565Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-10T15:03:48.867Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:*:android:*:*", "matchCriteriaId": "D5AB16D0-CBFB-48D8-BFAF-4B27DC3F260B", "versionEndExcluding": "148.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Heap buffer overflow in the Audio/Video: Playback component in Firefox for Android. This vulnerability was fixed in Firefox 148.0.2."}, {"lang": "es", "value": "Desbordamiento de b\u00fafer de mont\u00f3n en el componente Audio/Video: Reproducci\u00f3n en Firefox para Android. Esta vulnerabilidad afecta a Firefox < 148.0.2."}], "id": "CVE-2026-3845", "lastModified": "2026-04-13T15:17:34.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-10T18:19:05.507", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2020174"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-19/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,148.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-15T15:40:50.449122+00:00", "value": {"mitigation_remediation": ["Download and install Mozilla Firefox version 148.0.2 or newer from the official Play Store or Mozilla website", "Enable automatic updates for Firefox to receive future security patches as soon as they are released", "Deploy a media\u2011content filtering solution on the device or network to block or monitor suspicious audio and video files as a temporary measure until the browser is updated"], "summary": {"action": "Immediate Patch", "impact": "Heap buffer overflow that can lead to memory corruption and potentially arbitrary code execution on Android devices running older Firefox versions"}, "threat_synthesis": {"affected_systems": "All Android installations of Mozilla Firefox that are older than version 148.0.2 are affected. The vulnerability was fixed in that release, so any device running Firefox 148.0.2 or newer is no longer susceptible.", "description_and_impact": "Firefox for Android contains a heap buffer overflow in the Audio/Video: Playback component. If an attacker can supply crafted audio or video data, the overflow can corrupt the heap, potentially leading to a crash, denial\u2011of\u2011service, or execution of arbitrary code. The vulnerability is a classic memory corruption flaw (CWE\u2011122) that threatens the confidentiality or integrity of data in the affected process.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this issue as high severity. The EPSS score of less than 1% indicates a very low likelihood of widespread exploitation at present, and the vulnerability is not yet listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Nonetheless, because an attacker can trigger the flaw remotely by delivering malicious media to the browser, the risk remains significant for environments that rely on Firefox for Android. Mitigation through an up\u2011to\u2011date Firefox package is the recommended approach."}}}}, "created": "2026-03-11T11:50:06.361574+00:00", "updated": "2026-04-15T17:00:07.027519+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}