Mozilla Firefox and Thunderbird GMP Component Denial-of-Service Vulnerability (CVE-2026-4709)
A vulnerability exists in the Audio/Video: GMP component of Mozilla Firefox and Thunderbird due to incorrect boundary conditions, potentially leading to a denial-of-service condition.
CVE-2026-4709 describes a vulnerability affecting Mozilla Firefox and Thunderbird related to incorrect boundary conditions in the Graphics Media Player (GMP) component's audio/video processing. Specifically, Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, Thunderbird versions prior to 149, and Thunderbird versions prior to 140.9 are affected. Successful exploitation of this vulnerability could lead to a denial-of-service condition. This vulnerability was disclosed on March 24, 2026, and defenders should ensure their Firefox and Thunderbird installations are updated to the latest versions to mitigate the risk.
Attack Chain
- An attacker crafts a malicious audio/video file or stream.
- The user opens the crafted file or visits a website embedding it via Firefox or Thunderbird.
- The GMP component attempts to process the audio/video data.
- The incorrect boundary conditions within the GMP component are triggered due to the malformed data.
- This leads to a memory corruption or other unexpected behavior within the GMP component.
- The application (Firefox or Thunderbird) becomes unstable.
- The application crashes, resulting in a denial of service.
Impact
Successful exploitation of CVE-2026-4709 can result in a denial-of-service condition. While the NVD entry assigns a CVSS score of 7.5 (High), the impact is limited to the availability of the affected application. Users would experience unexpected crashes and be unable to use the browser or email client until it is restarted. Widespread exploitation could impact productivity and potentially disrupt workflows relying on Firefox or Thunderbird.
Recommendation
- Upgrade all Firefox installations to version 149 or later to remediate CVE-2026-4709.
- Upgrade all Firefox ESR installations to version 115.34 or 140.9 or later to remediate CVE-2026-4709.
- Upgrade all Thunderbird installations to version 149 or later to remediate CVE-2026-4709.
- Monitor process crashes of Firefox and Thunderbird with unexpected module faults to identify potential exploitation attempts.
Detection coverage 2
Firefox GMP Component Crash
mediumDetects crashes in Firefox potentially related to the GMP component vulnerability (CVE-2026-4709).
Thunderbird GMP Component Crash
mediumDetects crashes in Thunderbird potentially related to the GMP component vulnerability (CVE-2026-4709).
Detection queries are available on the platform. Get full rules →