CVE-2026-2781

CRITICAL

Firefox and Thunderbird < 148 and < 140.8 - Integer Overflow in NSS Libraries

Title source: llm

Description

Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.

References (7)

Core 7

Core References

Issue Tracking

https://bugzilla.mozilla.org/show_bug.cgi?id=2009552

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-13/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-15/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-16/

Vendor Advisory

https://www.mozilla.org/security/advisories/mfsa2026-17/

Mailing List

https://lists.debian.org/debian-lts-announce/2026/03/msg00012.html

https://www.mozilla.org/security/advisories/mfsa2026-31/

Scores

CVSS v3 9.8

EPSS 0.0036

EPSS Percentile 27.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-190

Status published

Products (13)

mozilla/firefox < 140.8.0

mozilla/firefox < 148.0

Mozilla/Firefox 115.35 - 115.*

Mozilla/Firefox 140.8 - 140.*

Mozilla/Firefox 148

Mozilla/Firefox unspecified - 148

Mozilla/Firefox ESR unspecified - 140.8

mozilla/thunderbird < 140.8.0

mozilla/thunderbird < 148.0

Mozilla/Thunderbird 140.8 - 140.*

... and 3 more

Published Feb 24, 2026

Tracked Since Feb 24, 2026