CVE-2026-3846 is a vulnerability in Mozilla Firefox's CSS Parsing and Computation component that allows bypassing the same-origin policy, a critical web security mechanism. This flaw could enable unauthorized access to data across origins. Mozilla fixed this vulnerability in Firefox 148.0.2 as part of a security update addressing multiple memory safety bugs. The CVSS 3.1 base score is 6.5 (medium severity), with an attack vector of network, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. The vendor advisory explicitly states the fix is available and the impact is high due to memory safety concerns.

The vulnerability allows bypassing the same-origin policy, potentially enabling attackers to interfere with the integrity of web content by accessing or manipulating data across origins. Although confidentiality is not impacted, the integrity impact is high. This could lead to unauthorized actions or data manipulation within the browser context. The vendor advisory classifies the impact as high and notes memory safety bugs that could be exploited to run arbitrary code with enough effort. No known exploits are reported in the wild.

A security update fixing this vulnerability is available in Mozilla Firefox version 148.0.2. Users and administrators should apply this official fix promptly to mitigate the risk. Since the vendor advisory confirms the issue is fixed, no additional mitigation steps are required beyond updating to the patched version.