CVE-2026-2804 is a use-after-free vulnerability identified in the JavaScript WebAssembly component of Mozilla Firefox. Use-after-free (CWE-416) vulnerabilities occur when a program continues to use a pointer after the memory it points to has been freed, potentially leading to memory corruption or other unintended behavior. This vulnerability was resolved in Firefox 148 and Thunderbird 148. The CVSS 3.1 base score is 5.4 (medium), with vector AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and low impact on confidentiality and integrity, with no impact on availability. The Mozilla advisories list this vulnerability among many others fixed in these releases, emphasizing the importance of updating to these versions. No active exploitation has been reported.

The vulnerability could allow an attacker to cause use-after-free conditions in the JavaScript WebAssembly component, potentially leading to limited confidentiality and integrity impacts. The CVSS score reflects a medium severity with low impact on confidentiality and integrity and no impact on availability. There are no known exploits in the wild, reducing immediate risk. The vulnerability is mitigated by updating to Firefox 148 or Thunderbird 148, where the issue is fixed.

Mozilla has released official fixes for this vulnerability in Firefox 148 and Thunderbird 148. Users and administrators should update to these versions or later to remediate the vulnerability. No additional mitigation steps are required beyond applying the official patches. Since this is not a cloud service, remediation depends on user-side updates. Patch status is confirmed by the vendor advisory.