CVE-2026-4725: Sandbox escape due to use-after-free in the Graphics: Canvas2D component
Published Mar 24, 2026
·Updated
Sandbox escape due to use-after-free in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 149 and Thunderbird 149.
Affected Software
4 affected componentsFixes available
Mozilla Firefox<149
Mozilla Firefox<149
149
Mozilla Firefox<149.0
Mozilla Thunderbird<149
149
Event History
Mar 24, 2026
CVE Published
via Mozilla·12:00 AM
Data Sourced
via Mozilla·12:00 AM
DescriptionSeverityAffected Software
Updated
via Mozilla·12:00 AM
Affected Software
CVE Published
via MITRE·12:30 PM
Data Sourced
via MITRE·12:30 PM
Description
Data Sourced
via NVD·01:16 PM
DescriptionSeverityWeaknessAffected Software
Apr 7, 58249
Event
via FIRST·12:22 PM
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2026-4684
- CVE-2026-4685
- CVE-2026-4686
- CVE-2026-4687
- CVE-2026-4688
- CVE-2026-4689
- CVE-2026-4690
- CVE-2026-4691
- CVE-2026-4692
- CVE-2026-4693
- CVE-2026-4694
- CVE-2026-4695
- CVE-2026-4696
- CVE-2026-4697
- CVE-2026-4698
- CVE-2026-4699
- CVE-2026-4700
- CVE-2026-4701
- CVE-2026-4722
- CVE-2026-4702
- CVE-2026-4723
- CVE-2026-4724
- CVE-2026-4704
- CVE-2026-4705
- CVE-2026-4706
- CVE-2026-4707
- CVE-2026-4708
- CVE-2026-4709
- CVE-2026-4710
- CVE-2026-4711
- CVE-2026-4725
- CVE-2026-4712
- CVE-2026-4713
- CVE-2026-4714
- CVE-2026-4715
- CVE-2026-4716
- CVE-2026-4717
- CVE-2026-4726
- CVE-2025-59375
- CVE-2026-4727
- CVE-2026-4728
- CVE-2026-4718
- CVE-2026-4719
- CVE-2026-4720
- CVE-2026-4729
- CVE-2026-4721
- CVE-2026-3889
- CVE-2026-4371
Frequently Asked Questions
1
What is the severity of CVE-2026-4725?
CVE-2026-4725 is considered a critical vulnerability due to its potential for sandbox escape.
2
How do I fix CVE-2026-4725?
To fix CVE-2026-4725, upgrade to Firefox version 149 or later.
3
What components are impacted by CVE-2026-4725?
CVE-2026-4725 affects the Graphics: Canvas2D component of Firefox.
4
What versions of Firefox are affected by CVE-2026-4725?
CVE-2026-4725 affects all Firefox versions prior to 149.
5
Can CVE-2026-4725 be exploited remotely?
Yes, CVE-2026-4725 can be exploited remotely due to the nature of the sandbox escape.