CVE-2026-4724 describes undefined behavior in the Audio/Video component of Mozilla Firefox. This vulnerability was fixed in Firefox 149 as part of a comprehensive security update addressing multiple high-impact bugs across various components including graphics, JavaScript engine, and sandbox escapes. The CVSS 3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating network attack vector, low attack complexity, no privileges or user interaction required, with high confidentiality and integrity impacts but no availability impact. The vendor advisory confirms the vulnerability is fixed in Firefox 149 and Thunderbird 149, with no known exploits in the wild.

The vulnerability could potentially allow an attacker to cause undefined behavior in the Audio/Video component, which might lead to compromise of confidentiality and integrity of the affected system. However, the vendor rates the impact of this specific issue as moderate within the context of the broader set of fixes. There are no reports of active exploitation in the wild. The vulnerability affects Firefox versions prior to 149.

Mozilla has released an official fix for CVE-2026-4724 in Firefox 149 and Thunderbird 149. Users and administrators should update affected products to these versions or later to remediate the vulnerability. No additional mitigation actions are required beyond applying the official update.