CVE-2026-4729 encompasses a set of memory safety bugs in Mozilla Firefox 148 and Thunderbird 148, some showing evidence of memory corruption that could be exploited to execute arbitrary code. The vulnerabilities affect multiple components including graphics (WebRender, Canvas2D), JavaScript engine (JIT miscompilation, use-after-free), audio/video processing, and sandbox escapes. Mozilla fixed these issues in Firefox 149 and Thunderbird 149. The CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical impact with network attack vector, no privileges or user interaction required, and high confidentiality, integrity, and availability impacts. The vendor advisory is the authoritative source confirming the fixes.

Successful exploitation of these memory safety vulnerabilities could allow remote attackers to execute arbitrary code on affected systems without user interaction or privileges, potentially leading to full compromise of the Firefox or Thunderbird process. The high CVSS score reflects the critical nature of these flaws. However, no known exploits in the wild have been reported at the time of advisory publication. The vulnerabilities also include sandbox escape issues that could undermine process isolation.

Mozilla has released official fixes for these vulnerabilities in Firefox 149 and Thunderbird 149. Users and administrators should update to these versions immediately to mitigate the risk. The vendor advisory does not indicate any alternative mitigations or that the issues are already mitigated by other means. Patch status is confirmed as official-fix. No additional action beyond applying the updates is required.