CVE-2026-4723 is a use-after-free vulnerability identified in the JavaScript Engine component of Mozilla Firefox. Use-after-free vulnerabilities occur when a program continues to use a pointer after the memory it points to has been freed, potentially leading to memory corruption and arbitrary code execution. This vulnerability was reported by multiple researchers and fixed in Firefox 149. The CVSS 3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. The Mozilla Foundation's security advisory MFSA2026-20 confirms the fix and provides references to the underlying bug reports. No known exploits in the wild have been reported at the time of publication.

The vulnerability allows remote attackers to potentially execute arbitrary code or cause denial of service through memory corruption in the JavaScript Engine. Given the critical CVSS score of 9.8, successful exploitation could lead to full compromise of the affected Firefox browser instance. The flaw affects Firefox versions prior to 149. There are no known active exploits in the wild at the time of the advisory. The impact extends to confidentiality, integrity, and availability of the affected system.

Mozilla has released an official fix for this vulnerability in Firefox version 149. Users and administrators should update affected Firefox installations to version 149 or later to remediate this issue. No additional mitigation steps are required beyond applying the official update. Since this is not a cloud service, patching the client software is necessary to address the vulnerability.