{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4722", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-03-23T23:22:42.876Z", "datePublished": "2026-03-24T12:30:30.232Z", "dateUpdated": "2026-04-13T13:50:22.290Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "149", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "149", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149."}]}], "title": "Privilege escalation in the IPC component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2010097"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "credits": [{"lang": "en", "value": "Nika Layzell"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:50:22.290Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-4722"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T03:56:07.332Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4722", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-24T14:56:05.532707Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T14:55:58.386Z"}}], "cna": {"title": "Privilege escalation in the IPC component", "credits": [{"lang": "en", "value": "Nika Layzell"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "149", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "149", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2010097"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "descriptions": [{"lang": "en", "value": "Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.", "supportingMedia": [{"type": "text/html", "value": "Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:50:22.290Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4722", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:50:22.290Z", "dateReserved": "2026-03-23T23:22:42.876Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-03-24T12:30:30.232Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "02F2B82F-E997-4D5F-BBB0-237E4962555B", "versionEndExcluding": "149.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Privilege escalation in the IPC component. This vulnerability was fixed in Firefox 149 and Thunderbird 149."}, {"lang": "es", "value": "Escalada de privilegios en el componente IPC. Esta vulnerabilidad afecta a Firefox < 149 y Thunderbird < 149."}], "id": "CVE-2026-4722", "lastModified": "2026-04-13T15:17:44.393", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T13:16:08.093", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2010097"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-20/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-23/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "firefox: Privilege escalation in the IPC component", "id": "2450737", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450737"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-270", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nPrivilege escalation in the IPC component"], "name": "CVE-2026-4722", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T12:30:30Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4722\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4722\nhttps://www.mozilla.org/security/advisories/mfsa2026-20/#CVE-2026-4722"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,149)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-13T15:48:04.328830+00:00", "value": {"mitigation_remediation": ["Update Firefox to version 149 or later. ", "Update Thunderbird to version 149 or later."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Mozilla products, specifically Firefox and Thunderbird, are affected. Versions prior to 149 of each product contain the flaw; the issue was addressed in Firefox 149 and Thunderbird 149. Users running older releases should verify their current version and apply updates accordingly.", "description_and_impact": "A flaw in the interprocess communication component permits a local attacker to elevate privileges on the system. The vulnerability stems from improper handling of permissions, allowing a compromised process to gain higher rights. This increase in authority can compromise confidentiality, integrity, or availability depending on the attacker\u2019s objectives.", "risk_and_exploitability": "The CVSS score of 8.8 reflects a high severity level, yet the EPSS score is below 1%, indicating a low current exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector is inferred to be local, requiring an attacker with access to the user\u2019s session or to the IPC mechanism. Exploitation would need to exploit the permission misconfiguration within the IPC subsystem to gain escalated privileges."}}}}, "created": "2026-03-25T11:48:07.036378+00:00", "updated": "2026-04-14T16:43:11.580338+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}