Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Firefox and Thunderbird: JavaScript Engine Can Crash or Execute Malicious Code
CVE-2026-2764
Summary
Some versions of Firefox and Thunderbird are vulnerable to a bug that can cause the browser or email client to crash or be exploited by attackers. This bug is caused by a programming error in the JavaScript Engine, which is used to execute web pages and scripts. Update to the latest version to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mozilla | firefox | <= 115.33.0 | – |
| mozilla | firefox | <= 148.0 | – |
| mozilla | firefox | > 128.0 , <= 140.8.0 | – |
| mozilla | thunderbird | <= 140.8.0 | – |
| mozilla | thunderbird | <= 148.0 | – |
Original title
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird <...
Original description
JIT miscompilation, use-after-free in the JavaScript Engine: JIT component. This vulnerability affects Firefox < 148, Firefox ESR < 115.33, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.
nvd CVSS3.1
9.8
Vulnerability type
CWE-416
Use After Free
- https://bugzilla.mozilla.org/show_bug.cgi?id=2012608 Issue Tracking Permissions Required
- https://www.mozilla.org/security/advisories/mfsa2026-13/ Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2026-14/ Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2026-15/ Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2026-16/ Vendor Advisory
- https://www.mozilla.org/security/advisories/mfsa2026-17/ Vendor Advisory
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026