Mozilla Firefox 114 Patches Critical Remote Code Execution Vulnerability
Key Takeaways Mozilla has issued a substantial security update, Firefox 149, addressing 37 vulnerabilities, including critical remote code execution and sandbox escape flaws. The patched...
Key Takeaways
- Mozilla has issued a substantial security update, Firefox 149, addressing 37 vulnerabilities, including critical remote code execution and sandbox escape flaws.
- The patched vulnerabilities span various components of the Firefox browser, with 16 rated as high severity, 17 moderate, and 4 low.
- A notable aspect of this update is the first multi-CVE contribution from an AI-assisted research team, utilizing Anthropic’s Claude.
- Users are strongly urged to update to Firefox 149 (or Firefox ESR 140.9 / 115.34 for extended support releases) immediately to mitigate these risks.
On March 24, 2026, Mozilla released Firefox 149, a significant security update that resolves 37 distinct vulnerabilities. This extensive advisory, designated MFSA 2026-20, addresses a wide array of security weaknesses within the browser, including critical memory corruption, sandbox escapes, use-after-free conditions, and remote code execution vulnerabilities across numerous components.
Table Of Content
Mozilla has assigned an overall “high” impact rating to this security update. The 37 CVEs are categorized into three severity levels: 16 classified as high, 17 as moderate, and 4 as low. A particular concern highlighted in the advisory is the presence of six confirmed sandbox escape vulnerabilities, which could allow attackers to bypass Firefox’s security isolation and execute arbitrary code directly on the underlying operating system.
High-Severity Vulnerabilities Addressed
The most severe issues patched in Firefox 149 include several memory corruption and sandbox escape vulnerabilities. Among these, CVE-2026-4684 details a race condition and use-after-free bug within the Graphics: WebRender component, identified by researcher Oskar L.
Several high-severity sandbox escape flaws were reported by Sajeeb Lohani, including CVE-2026-4687, CVE-2026-4688, CVE-2026-4689, and CVE-2026-4690. These vulnerabilities affect components such as Telemetry, Disability Access APIs, and XPCOM, posing a significant risk of breaking out of the browser’s protective sandbox.
Another critical fix is for CVE-2026-4698, a JIT miscompilation bug in the JavaScript Engine discovered by maxpl0it in collaboration with Trend Micro’s Zero Day Initiative. This flaw carries a high risk of enabling arbitrary code execution.
Rounding out the high-severity category are three memory safety rollup vulnerabilities: CVE-2026-4720, CVE-2026-4721, and CVE-2026-4729. Mozilla noted that some of these bugs exhibited signs of memory corruption, suggesting they could potentially be exploited for arbitrary code execution with sufficient effort.
AI-Assisted Vulnerability Discovery Marks a Milestone
A significant development in this advisory is the contribution from a research team comprising Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger. This team successfully leveraged Anthropic’s Claude AI to uncover six vulnerabilities, marking the first time a multi-CVE AI-assisted contribution has been made to a major browser security advisory.
The AI-discovered vulnerabilities include CVE-2026-4702 (JIT miscompilation), CVE-2026-4723 (use-after-free in the JavaScript Engine), CVE-2026-4724 (undefined behavior in Audio/Video), and several issues related to WebRTC Signaling.
Moderate and Low Severity Fixes
The moderate-severity tier addresses a diverse set of issues across components such as Canvas2D, Graphics, Audio/Video, and the JavaScript Engine. For instance, CVE-2026-4725 describes a sandbox escape vulnerability stemming from a use-after-free bug in the Canvas2D component, reported by Jun Yang.
Additionally, CVE-2026-4717, discovered by Satoki Tsuji, allows for privilege escalation within the Netmonitor component. The low-severity fixes include multiple denial-of-service vulnerabilities in the XML and NSS libraries (CVE-2026-4726, CVE-2025-59375, CVE-2026-4727) and a spoofing issue in the Privacy: Anti-Tracking component (CVE-2026-4728), reported by Aswinkumar Gokulakannan.
What You Should Do
- Update your Firefox browser to version 149 immediately. This can be done through the browser’s built-in updater (Help > About Firefox) or by downloading the latest version directly from Mozilla’s official website.
- For users of Firefox Extended Support Release (ESR), ensure you update to Firefox ESR 140.9 or Firefox ESR 115.34 to receive the relevant patches.
- Organizations should prioritize these updates across all enterprise deployments, especially given the presence of multiple sandbox escape and remote code execution vulnerabilities that could lead to significant system compromise.
- Regularly check for and apply security updates for all software, particularly web browsers, which are frequent targets for attackers.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.