DEBIAN-CVE-2026-2785

DEBIAN-CVE-2026-2785 PUBLISHED CVSS 9.800000190734863 CRITICAL

Invalid pointer in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Risk Scores

CVSS 3.1

9.800000190734863

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:14	thunderbird	140.5.0, 140.5.0, 140.6.0
Debian:13	firefox-esr	128.13.0esr-1, 128.14.0esr-1, 128.14.0esr-1~deb12u1
Debian:13	thunderbird	*, 1:128.13.0esr-1, 1:128.14.0esr-1
Debian:14	firefox-esr	0, 128.14.0esr-1, 128.14.0esr-1~deb11u1
Debian:11	thunderbird	1:91.6.2-1~deb9u1, 1:91.7.0-2, 1:91.7.0-2~deb10u1
Debian:12	thunderbird	115.6.0-1, 1:102.11.0-1, 1:102.12.0-1~deb11u1
Debian:12	firefox-esr	0, 102.11.0esr-1, 102.12.0esr-1
Debian:11	firefox-esr	128.4.0, 128.4.0, 128.5.0

Exploit Intelligence

meta.json (github-poc)
mfsa2026-15.yml (github-poc)
poc.js (github-poc)
poc.js (github-poc)

Timeline

Feb 24, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-2785 advisory

Open in Interactive Console →