CVE-2026-2763

CRITICAL

Firefox < 115.33.0, < 148.0 and Thunderbird < 140.8.0, < 148.0 - Use-After-Free in JavaScript Engine

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-2763. PoCs published by ppwwiinn.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2026-2763, a use-after-free vulnerability in JavaScript's `for-in` loop implementation due to incorrect handling of `yield` and garbage collection. It includes a partial PoC in JavaScript but lacks a complete functional exploit.

Description

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

Exploits (1)

nomisec WRITEUP

by ppwwiinn · poc

https://github.com/ppwwiinn/CVE-2026-2763-POC

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2026-2763, a use-after-free vulnerability in JavaScript's `for-in` loop implementation due to incorrect handling of `yield` and garbage collection. It includes a partial PoC in JavaScript but lacks a complete functional exploit.

Classification

Writeup 95%

Attack Type

Rce

Complexity

Complex

Reliability

Theoretical

Target: Mozilla SpiderMonkey JavaScript Engine (specific version not specified)

No auth needed

Prerequisites: JavaScript execution environment with SpiderMonkey engine · ability to trigger garbage collection

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 07, 2026 Full analysis →

References (6)

Core 6

Core References

Issue Tracking

https://bugzilla.mozilla.org/show_bug.cgi?id=2012018

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-13/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-14/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-15/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-16/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-17/

Scores

CVSS v3 9.8

EPSS 0.0002

EPSS Percentile 7.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-416

Status published

Products (9)

mozilla/firefox < 115.33.0

mozilla/firefox < 148.0

Mozilla/Firefox 115.33 - 115.*

Mozilla/Firefox 140.8 - 140.*

Mozilla/Firefox 148

mozilla/thunderbird < 140.8.0

mozilla/thunderbird < 148.0

Mozilla/Thunderbird 140.8 - 140.*

Mozilla/Thunderbird 148

Published Feb 24, 2026

Tracked Since Feb 24, 2026