Mozilla has rolled out Firefox 149 on March 24, 2026, introducing a significant security update that addresses a total of 37 vulnerabilities. This update, under advisory MFSA 2026-20, marks one of the most substantial security bulletins issued for the browser, aiming to rectify issues ranging from memory corruption to remote code execution.
High-Severity Vulnerabilities in Firefox 149
The recent patch deals with vulnerabilities distributed across three levels of severity: 16 are categorized as high, 17 as moderate, and 4 as low. Notably, six sandbox escape vulnerabilities have been patched, which are critical as they allow attackers to execute arbitrary code outside Firefox’s secure environment.
A noteworthy vulnerability, CVE-2026-4684, involves a race condition paired with a use-after-free in the Graphics: WebRender component. This flaw, along with others like CVE-2026-4687 through CVE-2026-4690, represents significant threats due to their potential to bypass sandboxing mechanisms.
AI Contributions to Vulnerability Discovery
In a significant advancement, a research team employing AI tools, specifically Claude from Anthropic, contributed to identifying several vulnerabilities. These include CVE-2026-4702, a Just-In-Time (JIT) miscompilation issue, and various WebRTC signaling defects. This marks a milestone as the first instance of AI-assisted identification of multiple CVEs in a major browser update.
Other high-risk issues addressed involve memory safety bugs, such as CVE-2026-4720, CVE-2026-4721, and CVE-2026-4729, which have the potential for memory corruption and arbitrary code execution, underscoring the critical nature of these updates.
Moderate and Low Severity Issues
The patch also addresses moderate-severity issues affecting components like Canvas2D, Graphics, and the JavaScript Engine. CVE-2026-4725, for instance, is a sandbox escape vulnerability reported in the Canvas2D component.
Low-severity flaws include denial-of-service vulnerabilities and a spoofing issue in the Privacy: Anti-Tracking component. These lower-tier vulnerabilities, while less critical, still pose risks that are mitigated by this comprehensive update.
All Firefox users, including those on ESR versions 140.9 and 115.34, are encouraged to update to Firefox 149 to safeguard against these vulnerabilities. The update is available through Firefox’s built-in updater or directly from Mozilla’s website. Organizations, particularly those managing enterprise setups, should prioritize these updates due to the presence of several high-risk vulnerabilities.
Stay informed on the latest cybersecurity developments by following us on Google News, LinkedIn, and X. For more stories or inquiries, feel free to contact us.
