CVE-2026-2799 is a use-after-free vulnerability identified in the DOM: Core & HTML component of Mozilla Firefox. Use-after-free vulnerabilities occur when a program continues to use a pointer after the memory it points to has been freed, potentially leading to arbitrary code execution or crashes. This vulnerability was assigned a CVSS 3.1 base score of 8.8, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. Mozilla addressed this vulnerability in Firefox 148 and Thunderbird 148 as part of a broader set of security fixes. The vendor advisory explicitly states the vulnerability is fixed and provides references to the bug tracking system for further technical details.

The vulnerability allows an attacker to exploit a use-after-free condition in the DOM: Core & HTML component, potentially leading to arbitrary code execution, information disclosure, or denial of service. The CVSS score of 8.8 reflects a high impact on confidentiality, integrity, and availability. However, there are no known exploits in the wild at the time of the advisory. In Thunderbird, the risk is mitigated by disabled scripting in email reading contexts, reducing the likelihood of exploitation via email. The vulnerability affects all users running vulnerable versions prior to Firefox 148.

Mozilla has released an official fix for CVE-2026-2799 in Firefox 148 and Thunderbird 148. Users and administrators should update affected products to these versions or later to remediate the vulnerability. No additional mitigation steps are required beyond applying the official update. Patch status is confirmed by the vendor advisory.