Multiple vulnerabilities in Mozilla products could allow arbitrary code execution

Several vulnerabilities have been discovered in Mozilla products, the most serious of which could allow the execution of arbitrary code.

• Mozilla Firefox is a web browser used to access the Internet.
• Mozilla Firefox ESR is a version of the web browser intended for deployment in large organizations.
• Mozilla Thunderbird is an email client.
• Mozilla Thunderbird ESR is a version of the email client intended for deployment in large organizations.

Successful exploitation of the most severe of these vulnerabilities could allow arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.

There are currently no reports of these vulnerabilities being exploited in the wild.

Several vulnerabilities have been discovered in Mozilla products, the most serious of which could allow the execution of arbitrary code. The details of these vulnerabilities are as follows:

Tactical: Initial access (TA0001):

Technical: Compromise while driving (T1189)

• Memory security bugs fixed in Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2, and Thunderbird 149.0.2. (CVE-2026-5731)
• Memory security bugs fixed in Firefox ESR 140.9.1, Thunderbird ESR 140.9.1, Firefox 149.0.2, and Thunderbird 149.0.2. (CVE-2026-5734)
• Memory security bugs fixed in Firefox 149.0.2 and Thunderbird 149.0.2. (CVE-2026-5735)

Other vulnerabilities of lesser severity include:

• Incorrect boundary conditions, integer overflow in graph. (CVE-2026-5732)
• Incorrect boundary conditions in graphs. (CVE-2026-5733)

Successful exploitation of the most severe of these vulnerabilities could allow arbitrary code execution. Depending on the privileges associated with the user, an attacker could then install programs; view, modify or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system might be less affected than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend that the following actions be taken:

• Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing. (M1051: Update software)
• Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
• Backup 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
• Backup 7.7: Fix detected vulnerabilities: Remediate detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
• Backup 9.1: Make sure you only use fully supported browsers and email clients: Ensure that only fully supported browsers and email clients are allowed to run in the enterprise, using only the latest version of vendor-provided browsers and email clients.
• Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Management of privileged accounts)
• Backup 4.7: Manage default accounts on company assets and software: Manage default accounts on company assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
• Backup 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as browsing the Internet, email, and using the Productivity Suite, from the user’s primary, non-privileged account.
• Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
• Backup 10.5: Enable anti-exploitation features: Enable anti-exploitation features on company assets and software where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block JavaScript, restrict browser extensions, etc. (M1021: Restrict web content)
• Backup 9.2: Use DNS filtering services: Use DNS filtering services on all company assets to block access to known malicious domains.
• Backup 9.3: Maintain and apply network-based URL filters: Apply and update network-based URL filters to prevent a business asset from connecting to potentially malicious or untrusted websites. Example implementations include category-based filtering, reputation-based filtering, or the use of blocklists. Apply filters for all company assets.
• Backup 9.6: Block unnecessary file types: Block unnecessary file types that attempt to access the company’s email gateway.
• Block code execution on a system through application control and/or script blocking. (M1038: Execution Prevention)
• Backup 2.5: Software allowed on the allowlist: Use technical controls, such as application whitelisting, to ensure that only authorized software can run or be accessed. Reassess every two years or more frequently.
• Backup 2.6: Authorized list of authorized libraries: Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are allowed to load into a system process. Prevent unauthorized libraries from loading into a system process. Reassess every two years or more frequently.
• Backup 2.7: Allowed list of allowed scripts: Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc. files, are allowed to run. Block the execution of unauthorized scripts. Reassess every two years or more frequently.
• Use features to prevent suspicious behavior patterns from appearing on endpoint systems. This could include a suspicious process, file, API call, etc. (M1040: Preventing Endpoint Behaviors)
• Backup 13.2: Deploy a host-based intrusion detection solution: Deploy a host-based intrusion detection solution on enterprise assets where applicable and/or supported.
• Backup 13.7: Deploy a host-based intrusion prevention solution: Deploy a host-based intrusion prevention solution on enterprise assets where applicable and/or supported. Example implementations include using an Endpoint Detection and Response (EDR) client or a host-based IPS agent.
• Inform and educate users about the threats posed by hyperlinks contained in emails or attachments, especially from untrusted sources. Remind users not to visit untrustworthy websites or follow links provided by unknown or untrustworthy sources. (M1017: User training)
• Backup 14.1: Establish and maintain a security awareness program: Establish and maintain a security awareness program. The goal of a security awareness program is to educate company personnel on how to interact with company assets and data securely. Organize training upon hiring and, at a minimum, once a year. Review and update the content annually or when significant changes within the business occur that could impact this protection.
• Backup 14.2: Train staff members to recognize social engineering attacks: Train your staff to recognize social engineering attacks, such as phishing, fake text, and tailgating.