CVE-2026-4684
Received Received - Intake
Use-After-Free Race Condition in Firefox WebRender Component

Publication date: 2026-03-24

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description
Race condition, use-after-free in the Graphics: WebRender component. This vulnerability was fixed in Firefox 149, Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird 149, and Thunderbird 140.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-13
Generated
2026-06-19
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-18
NVD
CVE-2026-4684
EUVD
EUVD-2026-14792
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mozilla firefox to 149.0 (exc)
mozilla firefox to 115.34.0 (exc)
mozilla firefox From 128.0 (inc) to 140.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4684 is a high-impact security vulnerability found in the Graphics: WebRender component of Firefox browsers before version 149 and Firefox ESR versions before 115.34 and 140.9.

The vulnerability involves a race condition and use-after-free issue, which means that the program improperly handles concurrent operations and prematurely frees memory. This unsafe memory management can lead to memory corruption.

An attacker could exploit this flaw to cause arbitrary code execution or other security breaches related to graphics rendering in Firefox.

Impact Analysis

This vulnerability can lead to memory corruption within the Firefox WebRender graphics subsystem.

Exploitation of this flaw could allow attackers to execute arbitrary code on the affected system, potentially compromising the security and integrity of your device.

Such exploitation could result in unauthorized access, data breaches, or other malicious activities stemming from the compromised browser.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate the CVE-2026-4684 vulnerability, you should update your Firefox or Firefox ESR browser to the fixed versions.

  • For Firefox, update to version 149 or later.
  • For Firefox ESR, update to version 115.34 or later, or 140.9 or later depending on your ESR branch.

These updates address the race condition and use-after-free issues in the Graphics: WebRender component, preventing potential memory corruption and exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4684. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart