{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-4690","assignerOrgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","state":"PUBLISHED","assignerShortName":"mozilla","dateReserved":"2026-03-23T23:21:42.156Z","datePublished":"2026-03-24T12:30:23.812Z","dateUpdated":"2026-04-13T13:48:40.559Z"},"containers":{"cna":{"affected":[{"product":"Firefox","vendor":"Mozilla","versions":[{"status":"unaffected","version":"115.34","lessThanOrEqual":"115.*","versionType":"rpm"},{"status":"unaffected","version":"140.9","lessThanOrEqual":"140.*","versionType":"rpm"},{"status":"unaffected","version":"149","lessThanOrEqual":"*","versionType":"rpm"}]},{"product":"Thunderbird","vendor":"Mozilla","versions":[{"status":"unaffected","version":"140.9","lessThanOrEqual":"140.*","versionType":"rpm"},{"status":"unaffected","version":"149","lessThanOrEqual":"*","versionType":"rpm"}]}],"descriptions":[{"lang":"en","value":"Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.","supportingMedia":[{"type":"text/html","base64":false,"value":"Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9."}]}],"title":"Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component","references":[{"url":"https://bugzilla.mozilla.org/show_bug.cgi?id=2016375"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-20/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-21/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-22/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-23/"},{"url":"https://www.mozilla.org/security/advisories/mfsa2026-24/"}],"credits":[{"lang":"en","value":"Sajeeb Lohani"}],"providerMetadata":{"orgId":"f16b083a-5664-49f3-a51e-8d479e5ed7fe","shortName":"mozilla","dateUpdated":"2026-04-13T13:48:40.559Z"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-190","lang":"en","description":"CWE-190 Integer Overflow or Wraparound"}]},{"descriptions":[{"type":"CWE","cweId":"CWE-120","lang":"en","description":"CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}],"metrics":[{"cvssV3_1":{"scope":"CHANGED","version":"3.1","baseScore":9.6,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","integrityImpact":"HIGH","userInteraction":"REQUIRED","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-25T03:56:01.292493Z","id":"CVE-2026-4690","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-25T14:07:54.846Z"}}]}}