CVE-2026-4684
Use-After-Free Race Condition in Firefox WebRender Component
Publication date: 2026-03-24
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | to 149.0 (exc) |
| mozilla | firefox | to 115.34.0 (exc) |
| mozilla | firefox | From 128.0 (inc) to 140.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-4684 is a high-impact security vulnerability found in the Graphics: WebRender component of Firefox browsers before version 149 and Firefox ESR versions before 115.34 and 140.9.
The vulnerability involves a race condition and use-after-free issue, which means that the program improperly handles concurrent operations and prematurely frees memory. This unsafe memory management can lead to memory corruption.
An attacker could exploit this flaw to cause arbitrary code execution or other security breaches related to graphics rendering in Firefox.
How can this vulnerability impact me? :
This vulnerability can lead to memory corruption within the Firefox WebRender graphics subsystem.
Exploitation of this flaw could allow attackers to execute arbitrary code on the affected system, potentially compromising the security and integrity of your device.
Such exploitation could result in unauthorized access, data breaches, or other malicious activities stemming from the compromised browser.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-4684 vulnerability, you should update your Firefox or Firefox ESR browser to the fixed versions.
- For Firefox, update to version 149 or later.
- For Firefox ESR, update to version 115.34 or later, or 140.9 or later depending on your ESR branch.
These updates address the race condition and use-after-free issues in the Graphics: WebRender component, preventing potential memory corruption and exploitation.