Firefox 149 Released With Patch for 37 Vulnerabilities that Enables Remote Attacks

Mozilla released Firefox 149 on March 24, 2026, delivering one of the largest security advisories in the browser’s recent history, addressing 37 vulnerabilities spanning memory corruption, sandbox escapes, use-after-free flaws, and remote code execution risks across multiple browser components.

Published under advisory MFSA 2026-20, the security update carries an overall “high” impact rating from Mozilla. The 37 CVEs are distributed across three severity tiers: 16 rated high, 17 rated moderate, and 4 rated low.

Among the most alarming findings are six confirmed sandbox escape vulnerabilities, a class of flaw that allows attackers to break out of Firefox’s isolation boundary and execute arbitrary code directly on the host system.

Firefox High-Severity Vulnerability

The most critical vulnerabilities fixed in this release include multiple memory corruption and sandbox escape issues. CVE-2026-4684 involves a race condition and use-after-free in the Graphics: WebRender component, reported by Oskar L.

CVE-2026-4687, CVE-2026-4688, CVE-2026-4689, and CVE-2026-4690 are all sandbox escape flaws found in the Telemetry, Disability Access APIs, and XPCOM components, each carrying a high severity rating and reported by researcher Sajeeb Lohani.

CVE-2026-4698, a JIT miscompilation bug in the JavaScript Engine, was discovered by maxpl0it working with Trend Micro’s Zero Day Initiative and poses a high risk of arbitrary code execution.

Three memory safety rollup vulnerabilities, CVE-2026-4720, CVE-2026-4721, and CVE-2026-4729, round out the high-severity tier, with Mozilla noting that “some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.”

AI-Assisted Vulnerability Discovery

A notable milestone in this advisory is the contribution from a research team, Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger, who used Claude from Anthropic to discover six vulnerabilities.

These include CVE-2026-4702 (JIT miscompilation), CVE-2026-4723 (use-after-free in the JavaScript Engine), CVE-2026-4724 (undefined behavior in Audio/Video), and multiple WebRTC Signaling issues. This marks a notable milestone as the first multi-CVE AI-assisted contribution to a major browser security advisory.

The moderate-severity tier features a broad range of issues across the Canvas2D, Graphics, Audio/Video, and JavaScript Engine components. CVE-2026-4725 is a sandbox escape via use-after-free in the Canvas2D component, reported by Jun Yang.

CVE-2026-4717 allows privilege escalation in the Netmonitor component, discovered by Satoki Tsuji. Low-severity fixes include denial-of-service bugs in the XML and NSS libraries (CVE-2026-4726, CVE-2025-59375, CVE-2026-4727) and a spoofing issue in the Privacy: Anti-Tracking component (CVE-2026-4728), reported by Aswinkumar Gokulakannan.

Affected Versions and Mitigation

All vulnerabilities affect Firefox versions prior to 149. Firefox ESR 140.9 and Firefox ESR 115.34 also received corresponding patches for a subset of these flaws. Users are strongly advised to update to Firefox 149 immediately via the browser’s built-in updater or by downloading directly from Mozilla’s official website.

Organizations managing enterprise deployments should prioritize patching, given the presence of multiple sandbox-escape and remote-code-execution vectors in this release.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.