Firefox — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/firefox/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 25 Mar 2026 14:18:11 +0000CVE-2026-4729 Memory Safety Vulnerabilities in Firefox and Thunderbirdhttps://feed.craftedsignal.io/briefs/2026-06-firefox-thunderbird-cve/Wed, 25 Mar 2026 14:18:11 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-firefox-thunderbird-cve/Firefox 148 and Thunderbird 148 contain memory safety bugs that could potentially be exploited to execute arbitrary code, impacting versions prior to 149.<p>CVE-2026-4729 describes memory safety vulnerabilities present in Firefox 148 and Thunderbird 148. According to the NVD analysis, some of these bugs exhibit memory corruption, suggesting a potential for exploitation. It is presumed that attackers could potentially exploit these vulnerabilities to achieve arbitrary code execution. Successful exploitation would allow an attacker to perform unauthorized actions, potentially compromising the confidentiality, integrity, and availability of the…</p> criticaladvisorycve-2026-4729memory-corruptionfirefoxthunderbirdrceFirefox and Thunderbird Memory Safety Vulnerability (CVE-2026-4720)https://feed.craftedsignal.io/briefs/2026-03-firefox-memory-safety/Wed, 25 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-memory-safety/A memory safety vulnerability (CVE-2026-4720) in Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148 and Thunderbird 148 could lead to memory corruption and potential arbitrary code execution if successfully exploited.<p>A critical memory safety vulnerability, tracked as CVE-2026-4720, affects Mozilla Firefox and Thunderbird. Specifically, Firefox ESR 140.8, Thunderbird ESR 140.8, Firefox 148, and Thunderbird 148 are vulnerable. The identified memory safety bugs exhibit evidence of memory corruption, suggesting that with sufficient effort, attackers could exploit these vulnerabilities to execute arbitrary code on affected systems. Users of Firefox versions prior to 149, Firefox ESR versions prior to 140.9…</p> criticaladvisorycve-2026-4720firefoxthunderbirdmemory-corruptionarbitrary-code-executionMozilla Firefox and Thunderbird Use-After-Free Vulnerability (CVE-2026-4723)https://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-uaf/Tue, 24 Mar 2026 13:16:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-uaf/A use-after-free vulnerability, CVE-2026-4723, in the JavaScript Engine of Mozilla Firefox and Thunderbird before version 149 could allow arbitrary code execution if successfully exploited by an attacker.<p>CVE-2026-4723 is a critical use-after-free vulnerability affecting the JavaScript Engine component in Mozilla Firefox and Thunderbird. This flaw exists in versions prior to 149. A remote attacker could potentially exploit this vulnerability by crafting malicious JavaScript code that, when processed by a vulnerable browser or email client, triggers the use-after-free condition. The vulnerability was reported by Mozilla Corporation and assigned a CVSS v3.1 base score of 9.8, indicating a high…</p> criticaladvisoryuse-after-freefirefoxthunderbirdjavascriptcve-2026-4723Mozilla Firefox and Thunderbird Canvas2D Use-After-Free Vulnerability (CVE-2026-4725)https://feed.craftedsignal.io/briefs/2026-03-cve-2026-4725/Tue, 24 Mar 2026 13:16:08 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-cve-2026-4725/A use-after-free vulnerability in the Canvas2D component of Mozilla Firefox and Thunderbird versions before 149 allows for a potential sandbox escape.CVE-2026-4725 is a critical use-after-free vulnerability impacting the Canvas2D graphics component in Mozilla Firefox and Thunderbird. Specifically, versions prior to 149 are affected. This vulnerability could allow an attacker to potentially escape the browser’s or email client’s sandbox. The vulnerability stems from improper memory management in the Canvas2D component, where freed memory is accessed again. Successful exploitation of this flaw could grant an attacker elevated privileges or the…

]]>criticaladvisoryuse-after-freesandbox-escapefirefoxthunderbirdUninitialized Memory Vulnerability in Firefox Canvas2D (CVE-2026-4715)https://feed.craftedsignal.io/briefs/2026-03-firefox-uninitialized-memory/Tue, 24 Mar 2026 13:16:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-uninitialized-memory/CVE-2026-4715 is a critical vulnerability involving uninitialized memory in the Graphics: Canvas2D component of Firefox, Firefox ESR, and Thunderbird, potentially leading to information disclosure or arbitrary code execution.<p>CVE-2026-4715 describes an uninitialized memory flaw within the Canvas2D graphics component of Mozilla Firefox, Firefox ESR, and Thunderbird. Discovered and reported in March 2026, this vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 140.9, Thunderbird versions prior to 149, and Thunderbird ESR versions prior to 140.9. Successful exploitation of this issue could allow an attacker to read sensitive information from memory or potentially execute arbitrary code…</p> criticaladvisorycve-2026-4715firefoxthunderbirduninitialized-memoryvulnerabilityMozilla Firefox and Thunderbird Graphics Text Component Vulnerability (CVE-2026-4719)https://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-cve-2026-4719/Tue, 24 Mar 2026 13:16:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-cve-2026-4719/CVE-2026-4719 describes an incorrect boundary condition in the Graphics: Text component of Mozilla Firefox and Thunderbird, potentially leading to a denial-of-service condition in vulnerable versions.<p>CVE-2026-4719 is a security vulnerability affecting Mozilla Firefox and Thunderbird. The vulnerability stems from incorrect boundary conditions within the <code>Graphics: Text</code> component. Specifically, Firefox versions prior to 149, Firefox ESR versions prior to 140.9, Thunderbird versions prior to 149, and Thunderbird ESR versions prior to 140.9 are affected. Successful exploitation of this vulnerability could potentially lead to a denial-of-service condition by crashing the application. This…</p> mediumadvisorycvevulnerabilityfirefoxthunderbirdFirefox Netmonitor Privilege Escalation Vulnerability (CVE-2026-4717)https://feed.craftedsignal.io/briefs/2026-03-firefox-privesc/Tue, 24 Mar 2026 13:16:07 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-privesc/CVE-2026-4717 is a critical privilege escalation vulnerability in the Netmonitor component of Firefox, Firefox ESR, and Thunderbird, potentially allowing an attacker to gain elevated privileges on a vulnerable system.<p>CVE-2026-4717 is a critical vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. The vulnerability lies within the Netmonitor component and can lead to privilege escalation. Specifically, Firefox versions prior to 149, Firefox ESR versions prior to 140.9, Thunderbird versions prior to 149, and Thunderbird ESR versions prior to 140.9 are affected. The vulnerability allows an attacker to potentially gain elevated privileges on the targeted system. This could allow for arbitrary…</p> criticaladvisoryprivilege-escalationfirefoxthunderbirdcve-2026-4717WebRTC Signaling Denial-of-Service Vulnerability (CVE-2026-4704)https://feed.craftedsignal.io/briefs/2026-03-webrtc-dos/Tue, 24 Mar 2026 13:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-webrtc-dos/CVE-2026-4704 is a denial-of-service vulnerability in the WebRTC Signaling component affecting Firefox, Firefox ESR, and Thunderbird, potentially disrupting service availability.<p>CVE-2026-4704 is a denial-of-service vulnerability residing in the WebRTC Signaling component of Mozilla products. This flaw impacts Firefox versions prior to 149, Firefox ESR versions before 140.9, Thunderbird versions lower than 149, and Thunderbird also prior to version 140.9. Successful exploitation of this vulnerability could lead to a denial-of-service condition, rendering the affected application unavailable. The vulnerability was disclosed on March 24, 2026. Defenders should prioritize…</p> mediumadvisorywebrtcdenial-of-servicefirefoxthunderbirdFirefox and Thunderbird Mitigation Bypass Vulnerability (CVE-2026-4700)https://feed.craftedsignal.io/briefs/2026-03-firefox-mitigation-bypass/Tue, 24 Mar 2026 13:16:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-mitigation-bypass/CVE-2026-4700 is a critical vulnerability in the Networking: HTTP component of Firefox, Firefox ESR, and Thunderbird, allowing a mitigation bypass in versions prior to Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.<p>CVE-2026-4700 is a mitigation bypass vulnerability affecting Mozilla Firefox, Firefox ESR, and Thunderbird. The vulnerability resides within the Networking: HTTP component and impacts versions earlier than Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9. Successful exploitation could allow an attacker to bypass intended security mitigations, potentially leading to further compromise of the affected system. This vulnerability was disclosed on March 24, 2026, and poses a…</p> criticaladvisorycve-2026-4700firefoxthunderbirdmitigation-bypassMozilla Firefox and Thunderbird WebCodecs Boundary Condition Vulnerability (CVE-2026-4695)https://feed.craftedsignal.io/briefs/2026-03-firefox-webcodecs-vuln/Tue, 24 Mar 2026 13:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-webcodecs-vuln/An incorrect boundary condition in the Audio/Video Web Codecs component in Mozilla Firefox and Thunderbird (CVE-2026-4695) could lead to a denial-of-service (DoS) condition due to a vulnerability that affects Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.<p>CVE-2026-4695 describes a vulnerability affecting Mozilla Firefox and Thunderbird related to incorrect boundary conditions in the Audio/Video Web Codecs component. This flaw impacts Firefox versions prior to 149, Firefox ESR versions prior to 140.9, Thunderbird versions prior to 149, and Thunderbird ESR versions prior to 140.9. An attacker could potentially exploit this vulnerability to cause a denial-of-service condition, impacting the availability of the application. This vulnerability was…</p> mediumadvisorycve-2026-4695firefoxthunderbirdwebcodecsdenial-of-serviceMozilla Firefox and Thunderbird Web Codecs Denial-of-Service Vulnerability (CVE-2026-4697)https://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-dos/Tue, 24 Mar 2026 13:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-thunderbird-dos/CVE-2026-4697 is a denial-of-service vulnerability due to incorrect boundary conditions in the Audio/Video Web Codecs component of Mozilla Firefox and Thunderbird, potentially leading to application crashes.<p>CVE-2026-4697 is a vulnerability affecting Mozilla Firefox and Thunderbird due to incorrect boundary conditions within the Audio/Video: Web Codecs component. This flaw can be exploited by attackers to trigger a denial-of-service condition. The vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 140.9, Thunderbird versions prior to 149, and Thunderbird ESR versions prior to 140.9. An attacker could potentially craft malicious web content that triggers the incorrect…</p> mediumadvisorycve-2026-4697denial-of-servicemozillafirefoxthunderbirdMozilla Firefox and Thunderbird Audio/Video Playback Denial-of-Service Vulnerability (CVE-2026-4693)https://feed.craftedsignal.io/briefs/2026-03-firefox-dos/Tue, 24 Mar 2026 13:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-dos/CVE-2026-4693 is a vulnerability due to incorrect boundary conditions in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird, potentially leading to a denial-of-service condition.<p>CVE-2026-4693 is a security vulnerability affecting the Audio/Video Playback component in Mozilla Firefox and Thunderbird. This flaw, stemming from incorrect boundary conditions, can be exploited by an unauthenticated attacker to cause a denial-of-service condition. The vulnerability affects Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, and Thunderbird versions prior to 149 and 140.9. Successful exploitation of this vulnerability results in the application…</p> mediumadvisorycvedenial-of-servicefirefoxthunderbirdFirefox and Thunderbird JIT Miscompilation Vulnerability (CVE-2026-4698)https://feed.craftedsignal.io/briefs/2026-03-firefox-jit-miscompilation/Tue, 24 Mar 2026 13:16:05 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-jit-miscompilation/A critical JIT miscompilation vulnerability (CVE-2026-4698) in the JavaScript engine affects Firefox and Thunderbird, potentially leading to remote code execution.<p>CVE-2026-4698 describes a JIT miscompilation vulnerability within the JavaScript engine&rsquo;s JIT component in Mozilla Firefox and Thunderbird. Specifically, Firefox versions prior to 149, Firefox ESR versions less than 115.34 and 140.9, and Thunderbird versions before 149 and 140.9 are affected. This vulnerability stems from a type confusion issue (CWE-843) during JavaScript code compilation, which an attacker can exploit to potentially execute arbitrary code on a vulnerable system. Given the…</p> criticaladvisoryfirefoxthunderbirdjitmiscompilationrcecve-2026-4698type-confusionMozilla Firefox Canvas2D Improper Boundary Condition Vulnerability (CVE-2026-4685)https://feed.craftedsignal.io/briefs/2026-03-firefox-canvas2d-vuln/Tue, 24 Mar 2026 13:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-canvas2d-vuln/An improper boundary condition vulnerability in the Canvas2D component of Mozilla Firefox, Firefox ESR, and Thunderbird (CVE-2026-4685) could allow for a denial-of-service condition.<p>CVE-2026-4685 describes an incorrect boundary condition in the Graphics: Canvas2D component affecting Mozilla Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, and Thunderbird versions prior to 149 and 140.9. This vulnerability could be exploited by a remote attacker to cause a denial-of-service condition. Successful exploitation of this vulnerability could result in the application crashing or becoming unresponsive. The vulnerability was reported and patched by…</p> mediumadvisorycve-2026-4685firefoxthunderbirddenial-of-servicecanvas2dFirefox and Thunderbird Sandbox Escape Vulnerability (CVE-2026-4687)https://feed.craftedsignal.io/briefs/2026-03-firefox-sandbox-escape/Tue, 24 Mar 2026 13:16:04 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-firefox-sandbox-escape/CVE-2026-4687 is a sandbox escape vulnerability in Firefox and Thunderbird due to incorrect boundary conditions in the Telemetry component, potentially allowing an attacker to execute arbitrary code outside the sandbox.<p>CVE-2026-4687 is a critical sandbox escape vulnerability affecting Mozilla Firefox and Thunderbird. The vulnerability stems from incorrect boundary conditions within the Telemetry component. Specifically, Firefox versions prior to 149, Firefox ESR versions prior to 115.34 and 140.9, and Thunderbird versions prior to 149 and 140.9 are affected. Successful exploitation could allow an attacker to bypass the intended security restrictions of the sandbox environment and potentially execute arbitrary…</p> criticaladvisorysandbox-escapefirefoxthunderbirdcve-2026-4687Non-Firefox Process Accessing Firefox Profile Directoryhttps://feed.craftedsignal.io/briefs/2024-01-firefox-profile-access/Wed, 03 Jan 2024 15:22:32 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-firefox-profile-access/This analytic detects non-Firefox processes accessing the Firefox profile directory, potentially indicating malware attempting to harvest sensitive user data like login credentials, browsing history, and cookies.This detection focuses on identifying unauthorized access to Firefox profile directories. The Firefox profile directory stores sensitive user data, including login credentials, browsing history, and cookies. When a non-Firefox process accesses this directory, it could be an indicator of malicious activity, such as a Remote Access Trojan (RAT) or other malware attempting to steal user information. The analytic leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This is relevant because successful credential theft can lead to account compromise, data breaches, and further propagation of malware within the network. The threat encompasses a broad range of malware families, including stealers (Azorult, RedLine Stealer, 0bj3ctivity Stealer), RATs (Remcos, Quasar RAT, Warzone RAT), keyloggers (Snake Keylogger, VIP Keylogger), and other malware like DarkGate, NjRAT, AgentTesla, and Lokibot. The activity has been observed in campaigns such as CISA AA23-347A and the 3CX Supply Chain Attack.

Attack Chain

  1. The user executes a malicious file, potentially delivered via phishing or drive-by download (not covered in source).
  2. The malicious file executes and establishes persistence on the system.
  3. The malware attempts to access the Firefox profile directory, located at *\AppData\Roaming\Mozilla\Firefox\Profiles*.
  4. Windows Security Event 4663 is generated, logging the access attempt to the Firefox profile directory.
  5. The malware reads sensitive data, such as login credentials, cookies, and browsing history, from the profile directory.
  6. The stolen data is exfiltrated to a command-and-control (C2) server.
  7. The attacker uses the stolen credentials to gain unauthorized access to user accounts and sensitive systems.

Impact

Successful exploitation and credential theft can lead to a wide range of negative outcomes, including unauthorized access to sensitive data, financial fraud, and further compromise of systems within the organization. The impact can range from individual user account compromise to large-scale data breaches affecting thousands of users. Industries heavily reliant on web-based applications and sensitive user data, such as finance, healthcare, and e-commerce, are particularly vulnerable. The consequences include financial losses, reputational damage, and legal liabilities.

Recommendation

  • Enable “Audit Object Access” in Group Policy and configure it to log both success and failure events for object access to activate the underlying log source required for this detection.
  • Deploy the provided Sigma rule to your SIEM to detect non-Firefox processes accessing Firefox profile directories.
  • Investigate any alerts generated by the Sigma rule, paying close attention to the ProcessName and ObjectName to identify potentially malicious processes and the specific profile data being accessed.
  • Review and update your organization’s security policies to restrict unauthorized access to sensitive user data.
]]>highadvisorycredential-accessmalwarefirefox