CVE-2026-4687

Description

Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

Firefox < 149

Firefox ESR < 115.34

Firefox ESR < 140.9

Thunderbird < 149

Thunderbird < 140.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Conceptual PoC for Telemetry Boundary Condition
// This is a simulation based on the vulnerability description

function triggerTelemetryOverflow() {
    // Attempt to manipulate telemetry data structures
    // to hit the incorrect boundary condition.
    try {
        // Hypothetical telemetry API interaction
        // In a real scenario, this would involve specific memory layout
        let maliciousPayload = new ArrayBuffer(0x1000);
        let view = new DataView(maliciousPayload);
        
        // Craft data designed to hit the boundary check failure
        for (let i = 0; i < 0x1000; i++) {
            view.setUint8(i, 0x41); // 'A'
        }

        // Trigger the vulnerability via the vulnerable component
        // Note: Actual exploitation requires precise memory address knowledge
        // and specific version targeting.
        console.log("[+] Payload prepared for Telemetry component.");
        // vulnerableTelemetryFunction(maliciousPayload);
    } catch (e) {
        console.log("[-] Exploit failed: " + e);
    }
}

triggerTelemetryOverflow();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4687
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4687
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4687/
[4] VulDB https://vuldb.com/cve/CVE-2026-4687
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2016368
[6] https://www.mozilla.org/security/advisories/mfsa2026-20/
[7] https://www.mozilla.org/security/advisories/mfsa2026-21/
[8] https://www.mozilla.org/security/advisories/mfsa2026-22/
[9] https://www.mozilla.org/security/advisories/mfsa2026-23/
[10] https://www.mozilla.org/security/advisories/mfsa2026-24/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4687", "sourceIdentifier": "[email protected]", "published": "2026-03-24T13:16:04.537", "lastModified": "2026-04-13T15:17:36.980", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandbox escape due to incorrect boundary conditions in the Telemetry component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."}, {"lang": "es", "value": "Escape de sandbox debido a condiciones de límite incorrectas en el componente de Telemetría. Esta vulnerabilidad afecta a Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, y Thunderbird < 140.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.34.0", "matchCriteriaId": "063BE653-69B0-4543-9A90-BC7A62C943B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.9.0", "matchCriteriaId": "525DEC0C-BB47-46C6-9AEB-98F27D4685FE"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016368", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-21/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/", "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/", "source": "[email protected]"}]}}