CVE-2026-2781

Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=2009552	Issue Tracking Permissions Required
https://www.mozilla.org/security/advisories/mfsa2026-13/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-15/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-16/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-17/	Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-31/
https://lists.debian.org/debian-lts-announce/2026/03/msg00012.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

History

21 Apr 2026, 13:16

Type	Values Removed	Values Added
Summary	~~(en) Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.~~	(en) Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, Thunderbird 140.8, and Firefox ESR 115.35.
References		() https://www.mozilla.org/security/advisories/mfsa2026-31/ -

13 Apr 2026, 15:17

Type	Values Removed	Values Added
Summary	~~(en) Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.~~	(en) Integer overflow in the Libraries component in NSS. This vulnerability was fixed in Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.

25 Mar 2026, 17:16

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2026/03/msg00012.html -
Summary		(es) Desbordamiento de entero en el componente de librerías en NSS. Esta vulnerabilidad afecta a Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, y Thunderbird < 140.8.

25 Feb 2026, 15:48

Type	Values Removed	Values Added
CPE		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::esr:::* cpe:2.3:a:mozilla:firefox:::::esr:::*
CWE		CWE-190
First Time		Mozilla Mozilla firefox Mozilla thunderbird
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=2009552 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=2009552 - Issue Tracking, Permissions Required
References	~~() https://www.mozilla.org/security/advisories/mfsa2026-13/ -~~	() https://www.mozilla.org/security/advisories/mfsa2026-13/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2026-15/ -~~	() https://www.mozilla.org/security/advisories/mfsa2026-15/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2026-16/ -~~	() https://www.mozilla.org/security/advisories/mfsa2026-16/ - Vendor Advisory
References	~~() https://www.mozilla.org/security/advisories/mfsa2026-17/ -~~	() https://www.mozilla.org/security/advisories/mfsa2026-17/ - Vendor Advisory

24 Feb 2026, 18:29

Type	Values Removed	Values Added
References		() https://www.mozilla.org/security/advisories/mfsa2026-16/ - () https://www.mozilla.org/security/advisories/mfsa2026-17/ -
Summary	~~(en) Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148 and Firefox ESR < 140.8.~~	(en) Integer overflow in the Libraries component in NSS. This vulnerability affects Firefox < 148, Firefox ESR < 140.8, Thunderbird < 148, and Thunderbird < 140.8.

24 Feb 2026, 14:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-24 14:16

Updated : 2026-04-21 13:16

NVD link : CVE-2026-2781

Mitre link : CVE-2026-2781

CVE.ORG link : CVE-2026-2781

JSON object : View

Products Affected

mozilla

firefox
thunderbird

CWE

CWE-190

Integer Overflow or Wraparound

9.8 /10