Firefox 149 Released With Patch for 37 Vulnerabilities that Enables Remote Attacks

Home Cyber Security News Firefox 149 Released With Patch for 37 Vulnerabilities that Enables Remote Attacks Mozilla released Firefox 149 on March 24, 2026, delivering one of the largest security advisories in the browser’s recent history, addressing 37 vulnerabilities spanning memory corruption, sandbox escapes, use-after-free flaws, and remote code execution risks across multiple browser components. Published under advisory MFSA 2026-20, the security update carries an overall “high” impact rating from Mozilla. The 37 CVEs are distributed across three severity tiers: 16 rated high, 17 rated moderate, and 4 rated low. Among the most alarming findings are six confirmed sandbox escape vulnerabilities, a class of flaw that allows attackers to break out of Firefox’s isolation boundary and execute arbitrary code directly on the host system. Firefox High-Severity Vulnerability The most critical vulnerabilities fixed in this release include multiple memory corruption and sandbox escape issues. CVE-2026-4684 involves a race condition and use-after-free in the Graphics: WebRender component, reported by Oskar L. CVE-2026-4687, CVE-2026-4688, CVE-2026-4689, and CVE-2026-4690 are all sandbox escape flaws found in the Telemetry, Disability Access APIs, and XPCOM components, each carrying a high severity rating and reported by researcher Sajeeb Lohani. CVE-2026-4698, a JIT miscompilation bug in the JavaScript Engine, was discovered by maxpl0it working with Trend Micro’s Zero Day Initiative and poses a high risk of arbitrary code execution. Three memory safety rollup vulnerabilities, CVE-2026-4720, CVE-2026-4721, and CVE-2026-4729, round out the high-severity tier, with Mozilla noting that “some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.” AI-Assisted Vulnerability Discovery A notable milestone in this advisory is the contribution from a research team, Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger, who used Claude from Anthropic to discover six vulnerabilities. These include CVE-2026-4702 (JIT miscompilation), CVE-2026-4723 (use-after-free in the JavaScript Engine), CVE-2026-4724 (undefined behavior in Audio/Video), and multiple WebRTC Signaling issues. This marks a notable milestone as the first multi-CVE AI-assisted contribution to a major browser security advisory. CVE ID Vulnerability Description Severity Reporter CVE-2026-4684 Race condition, use-after-free High Oskar L CVE-2026-4685 Incorrect boundary conditions High Sajeeb Lohani CVE-2026-4686 Incorrect boundary conditions High Sajeeb Lohani CVE-2026-4687 Sandbox escape via incorrect boundary conditions High Sajeeb Lohani CVE-2026-4688 Sandbox escape via use-after-free High Sajeeb Lohani CVE-2026-4689 Sandbox escape via incorrect boundary conditions, integer overflow High Sajeeb Lohani CVE-2026-4690 Sandbox escape via incorrect boundary conditions, integer overflow High Sajeeb Lohani CVE-2026-4691 Use-after-free High Fabius Artrel CVE-2026-4692 Sandbox escape High Tom Ritter CVE-2026-4693 Incorrect boundary conditions High Sajeeb Lohani CVE-2026-4694 Incorrect boundary conditions, integer overflow High Sajeeb Lohani CVE-2026-4695 Incorrect boundary conditions High Atte Kettunen CVE-2026-4696 Use-after-free High Sota Wada CVE-2026-4697 Incorrect boundary conditions High Lorenzo CVE-2026-4698 JIT miscompilation High maxpl0it (Trend Micro ZDI) CVE-2026-4699 Incorrect boundary conditions High Matej Smycka CVE-2026-4720 Memory safety bugs (memory corruption / arbitrary code execution) High Christian Holler, Gabriele Svelto, Tom Schuster & Mozilla Fuzzing Team CVE-2026-4729 Memory safety bugs (memory corruption / arbitrary code execution) High Christian Holler, Fatih Kilic, Tom Schuster & Mozilla Fuzzing Team CVE-2026-4721 Memory safety bugs (memory corruption / arbitrary code execution) High Christian Holler, Timothy Nikkel, Tom Schuster & Mozilla Fuzzing Team CVE-2026-4700 Mitigation bypass Moderate pizzahunthack1 CVE-2026-4701 Use-after-free Moderate Gary Kwong CVE-2026-4722 Privilege escalation Moderate Nika Layzell CVE-2026-4702 JIT miscompilation Moderate Ben Asher et al. (via Claude/Anthropic) CVE-2026-4723 Use-after-free Moderate Ben Asher et al. (via Claude/Anthropic) CVE-2026-4724 Undefined behavior Moderate Ben Asher et al. (via Claude/Anthropic) CVE-2026-4704 Denial of service Moderate Ben Asher et al. (via Claude/Anthropic) CVE-2026-4705 Undefined behavior Moderate Ben Asher et al. (via Claude/Anthropic) CVE-2026-4706 Incorrect boundary conditions Moderate Jun Yang CVE-2026-4707 Incorrect boundary conditions Moderate Sajeeb Lohani CVE-2026-4708 Incorrect boundary conditions Moderate Sajeeb Lohani CVE-2026-4709 Incorrect boundary conditions Moderate Sajeeb Lohani CVE-2026-4710 Incorrect boundary conditions Moderate Sajeeb Lohani CVE-2026-4711 Use-after-free Moderate Josh Aas CVE-2026-4725 Sandbox escape via use-after-free Moderate Jun Yang CVE-2026-4712 Information disclosure Moderate Josh Aas CVE-2026-4713 Incorrect boundary conditions Moderate Sajeeb Lohani CVE-2026-4714 Incorrect boundary conditions Moderate Sajeeb Lohani CVE-2026-4715 Uninitialized memory Moderate Jun Yang CVE-2026-4716 Incorrect boundary conditions, uninitialized memory Moderate Pwn2addr CVE-2026-4717 Privilege escalation Moderate Satoki Tsuji CVE-2026-4726 Denial of service Low Hanno Boeck CVE-2025-59375 Denial of service Low Jan Horak CVE-2026-4727 Denial of service Low Cody CVE-2026-4728 Spoofing Low Aswinkumar Gokulakannan CVE-2026-4718 Undefined behavior Low Ben Asher et al. (via Claude/Anthropic) CVE-2026-4719 Incorrect boundary conditions Low Sajeeb Lohani The moderate-severity tier features a broad range of issues across the Canvas2D, Graphics, Audio/Video, and JavaScript Engine components. CVE-2026-4725 is a sandbox escape via use-after-free in the Canvas2D component, reported by Jun Yang. CVE-2026-4717 allows privilege escalation in the Netmonitor component, discovered by Satoki Tsuji. Low-severity fixes include denial-of-service bugs in the XML and NSS libraries (CVE-2026-4726, CVE-2025-59375, CVE-2026-4727) and a spoofing issue in the Privacy: Anti-Tracking component (CVE-2026-4728), reported by Aswinkumar Gokulakannan. Affected Versions and Mitigation All vulnerabilities affect Firefox versions prior to 149. Firefox ESR 140.9 and Firefox ESR 115.34 also received corresponding patches for a subset of these flaws. Users are strongly advised to update to Firefox 149 immediately via the browser’s built-in updater or by downloading directly from Mozilla’s official website. Organizations managing enterprise deployments should prioritize patching, given the presence of multiple sandbox-escape and remote-code-execution vectors in this release. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Exploiting Magento to Execute Remote Code and Gain Complete Account Access Cyber Security News Multiple TP-Link Vulnerabilities Allow Attackers to Execute Arbitrary Commands on System Cyber Security News Russian Initial Access Broker Sentenced to Prison for Enabling Ransomware Attacks on U.S. Firms Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026