DEBIAN-CVE-2026-4716

DEBIAN-CVE-2026-4716 PUBLISHED CVSS 9.100000381469727 CRITICAL

Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component. This vulnerability was fixed in Firefox 149, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.

Risk Scores

CVSS 3.1

9.100000381469727

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Affected Products

Vendor	Product	Versions
Debian:13	firefox-esr	128.13.0esr-1, 128.14.0esr-1, 128.14.0esr-1~deb11u1
Debian:12	thunderbird	1:115.8.0-1~deb11u1, 1:115.8.1-1, 1:115.9.0-1
Debian:14	firefox-esr	128.14.0esr-1~deb12u1, 128.14.0esr-1~deb13u1, 140.9.0
Debian:13	thunderbird	1:140.4.0esr-1~deb11u1, 1:140.4.0esr-1, 1:140.3.0esr-1~deb13u1
Debian:11	firefox-esr	*, 102.1.0esr-1, 102.1.0esr-2
Debian:11	thunderbird	1:115.5.0-1~deb11u1, 1:115.5.0-1, 1:115.4.1-1~deb12u1
Debian:14	thunderbird	1:128.13.0esr-1, 1:128.14.0esr-1, 1:128.14.0esr-1~deb11u1
Debian:12	firefox-esr	115.5.0, 115.6.0, 115.6.0

Exploit Intelligence

mfsa2026-23.yml (github-poc)
2026.xml (github-poc)

Timeline

Mar 24, 2026 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-4716 advisory

Open in Interactive Console →