CVE-2026-2771 – Mozilla Firefox 148 Security Update

Firefox 148 was released on February 24, 2026, under Mozilla Foundation Security Advisory 2026-13. This update closes browser-exposed weaknesses in WebRender, JavaScript, DOM, IndexedDB, Web Audio, Networking, WebAuthn, and grouped memory-safety fixes. Mozilla says the memory-safety rollups showed evidence of memory corruption and may have been usable for arbitrary code execution with enough effort.

Verified CVSS v3.x scoring puts almost the entire advisory in High or Critical territory. Critical 10.0: CVE-2026-2760, CVE-2026-2761, CVE-2026-2768, CVE-2026-2776, and CVE-2026-2778. Critical 9.8: CVE-2026-2757, 2758, 2759, 2795, 2762, 2763, 2764, 2796, 2797, 2765, 2766, 2767, 2799, 2770, 2771, 2772, 2773, 2774, 2775, 2777, 2792, 2793, 2807, 2779, 2800, 2780, 2781, 2782, 2784, 2785, 2786, 2805, 2787, 2788, 2789, 2790, and 2791. Critical 9.1: CVE-2026-2806. High 8.8: CVE-2026-2798 and 2769. High 7.5: CVE-2026-2794, 2801, 2783, and 2803. The only reviewed Firefox 148 items below High are CVE-2026-2802 at 4.2 Medium and CVE-2026-2804 at 5.4 Medium.

This is a security-first release, that fixes more than 50 security issues. The most serious exposure runs through remote code execution-style memory corruption, sandbox escapes that break browser isolation, privilege paths that widen post-compromise impact, and critical networking and authentication-adjacent issues in JAR handling, cache behavior, and WebAuthn-related spoofing.