Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
SharkLoader Malware Uses Fake Cisco AnyConnect, Google Updates
July 3, 2026
Home/CyberSecurity News/Mozilla Firefox 114 Patches Critical Remote Code Execution Vulnerability
CyberSecurity News

Mozilla Firefox 114 Patches Critical Remote Code Execution Vulnerability

Key Takeaways Mozilla has issued a substantial security update, Firefox 149, addressing 37 vulnerabilities, including critical remote code execution and sandbox escape flaws. The patched...

Jennifer sherman
Jennifer sherman
March 25, 2026 3 Min Read
50 0

Key Takeaways

  • Mozilla has issued a substantial security update, Firefox 149, addressing 37 vulnerabilities, including critical remote code execution and sandbox escape flaws.
  • The patched vulnerabilities span various components of the Firefox browser, with 16 rated as high severity, 17 moderate, and 4 low.
  • A notable aspect of this update is the first multi-CVE contribution from an AI-assisted research team, utilizing Anthropic’s Claude.
  • Users are strongly urged to update to Firefox 149 (or Firefox ESR 140.9 / 115.34 for extended support releases) immediately to mitigate these risks.

On March 24, 2026, Mozilla released Firefox 149, a significant security update that resolves 37 distinct vulnerabilities. This extensive advisory, designated MFSA 2026-20, addresses a wide array of security weaknesses within the browser, including critical memory corruption, sandbox escapes, use-after-free conditions, and remote code execution vulnerabilities across numerous components.

Table Of Content

  • Key Takeaways
  • High-Severity Vulnerabilities Addressed
  • AI-Assisted Vulnerability Discovery Marks a Milestone
  • Moderate and Low Severity Fixes
  • What You Should Do

Mozilla has assigned an overall “high” impact rating to this security update. The 37 CVEs are categorized into three severity levels: 16 classified as high, 17 as moderate, and 4 as low. A particular concern highlighted in the advisory is the presence of six confirmed sandbox escape vulnerabilities, which could allow attackers to bypass Firefox’s security isolation and execute arbitrary code directly on the underlying operating system.

High-Severity Vulnerabilities Addressed

The most severe issues patched in Firefox 149 include several memory corruption and sandbox escape vulnerabilities. Among these, CVE-2026-4684 details a race condition and use-after-free bug within the Graphics: WebRender component, identified by researcher Oskar L.

Several high-severity sandbox escape flaws were reported by Sajeeb Lohani, including CVE-2026-4687, CVE-2026-4688, CVE-2026-4689, and CVE-2026-4690. These vulnerabilities affect components such as Telemetry, Disability Access APIs, and XPCOM, posing a significant risk of breaking out of the browser’s protective sandbox.

Another critical fix is for CVE-2026-4698, a JIT miscompilation bug in the JavaScript Engine discovered by maxpl0it in collaboration with Trend Micro’s Zero Day Initiative. This flaw carries a high risk of enabling arbitrary code execution.

Rounding out the high-severity category are three memory safety rollup vulnerabilities: CVE-2026-4720, CVE-2026-4721, and CVE-2026-4729. Mozilla noted that some of these bugs exhibited signs of memory corruption, suggesting they could potentially be exploited for arbitrary code execution with sufficient effort.

AI-Assisted Vulnerability Discovery Marks a Milestone

A significant development in this advisory is the contribution from a research team comprising Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger. This team successfully leveraged Anthropic’s Claude AI to uncover six vulnerabilities, marking the first time a multi-CVE AI-assisted contribution has been made to a major browser security advisory.

The AI-discovered vulnerabilities include CVE-2026-4702 (JIT miscompilation), CVE-2026-4723 (use-after-free in the JavaScript Engine), CVE-2026-4724 (undefined behavior in Audio/Video), and several issues related to WebRTC Signaling.

Moderate and Low Severity Fixes

The moderate-severity tier addresses a diverse set of issues across components such as Canvas2D, Graphics, Audio/Video, and the JavaScript Engine. For instance, CVE-2026-4725 describes a sandbox escape vulnerability stemming from a use-after-free bug in the Canvas2D component, reported by Jun Yang.

Additionally, CVE-2026-4717, discovered by Satoki Tsuji, allows for privilege escalation within the Netmonitor component. The low-severity fixes include multiple denial-of-service vulnerabilities in the XML and NSS libraries (CVE-2026-4726, CVE-2025-59375, CVE-2026-4727) and a spoofing issue in the Privacy: Anti-Tracking component (CVE-2026-4728), reported by Aswinkumar Gokulakannan.

What You Should Do

  • Update your Firefox browser to version 149 immediately. This can be done through the browser’s built-in updater (Help > About Firefox) or by downloading the latest version directly from Mozilla’s official website.
  • For users of Firefox Extended Support Release (ESR), ensure you update to Firefox ESR 140.9 or Firefox ESR 115.34 to receive the relevant patches.
  • Organizations should prioritize these updates across all enterprise deployments, especially given the presence of multiple sandbox escape and remote code execution vulnerabilities that could lead to significant system compromise.
  • Regularly check for and apply security updates for all software, particularly web browsers, which are frequent targets for attackers.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical F5 NGINX Vulnerability Lets Attackers Execute Code via MP4 Files

Next Post

OpenClaw Trap Campaign: Trojanized GitHub Repos Target Devs and Gamers

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical WatchGuard Firebox OS Flaws Let Attackers Execute Code
July 3, 2026
Critical Microsoft Exchange SSRF Vulnerability Gets Public PoC Exploit
July 3, 2026
North Korean Hackers Conceal JavaScript Loaders in Open Source Repos
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us