CVE-2026-2772 is a use-after-free vulnerability classified under CWE-416, found in the Audio/Video playback component of Mozilla Firefox and Thunderbird. This vulnerability arises when the application incorrectly manages memory, freeing an object while it is still in use, which can lead to arbitrary code execution or application crashes. The affected products include Firefox versions earlier than 148, Firefox ESR versions earlier than 115.33 and 140.8, and Thunderbird versions earlier than 148 and 140.8. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). This means a remote attacker can exploit this flaw by convincing a user to interact with malicious media content, potentially leading to full system compromise or denial of service. No patches or exploits are currently publicly available, but the vulnerability is published and recognized by Mozilla. The flaw’s presence in widely used browsers and email clients makes it a critical concern for end users and organizations relying on these products for secure communications and media playback.

The vulnerability could allow remote attackers to execute arbitrary code on affected systems, leading to full compromise of user data, system integrity, and availability. This can result in unauthorized access to sensitive information, installation of malware, or disruption of services. Since Firefox and Thunderbird are widely used across enterprises and individuals globally, exploitation could lead to widespread data breaches, espionage, or ransomware attacks. The requirement for user interaction means phishing or social engineering could be used to trigger the exploit. The high impact on confidentiality, integrity, and availability makes this a critical risk for organizations that rely on these applications for secure browsing and email communications. Additionally, the use-after-free nature of the vulnerability could be leveraged to bypass security mitigations, increasing the threat level.

Organizations and users should prioritize updating Firefox and Thunderbird to versions 148 or later, and Firefox ESR to versions 115.33 or 140.8 or later once patches are released. Until patches are available, disabling or restricting the use of the Audio/Video playback component via browser or client configuration can reduce exposure. Employing network-level protections such as web filtering to block access to untrusted or malicious media content can mitigate risk. Educate users to avoid interacting with suspicious links or media files, especially from untrusted sources. Implement endpoint detection and response (EDR) solutions to monitor for anomalous behavior indicative of exploitation attempts. Regularly audit and update security policies to include rapid deployment of critical browser and client updates. Consider sandboxing or isolating browser processes to limit potential damage from exploitation.