CVE-2026-4689

Publication date 26 March 2026

Last updated 26 March 2026

Ubuntu priority

Description

Sandbox escape due to incorrect boundary conditions, integer overflow in the XPCOM component. This vulnerability affects Firefox < 149, Firefox ESR < 115.34, Firefox ESR < 140.9, Thunderbird < 149, and Thunderbird < 140.9.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
mozjs91	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Ignored
firefox	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Not affected
thunderbird	25.10 questing	Not affected
	24.04 LTS noble	Not affected
	22.04 LTS jammy	Vulnerable
mozjs38	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	18.04 LTS bionic	Needs evaluation
mozjs52	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Ignored
	18.04 LTS bionic	Ignored
mozjs68	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Ignored
mozjs78	25.10 questing	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Ignored
mozjs102	25.10 questing	Not in release
	24.04 LTS noble	Ignored
	22.04 LTS jammy	Ignored
mozjs115	25.10 questing	Not in release
	24.04 LTS noble	Ignored
	22.04 LTS jammy	Not in release

Notes

mdeslaur

mozjs* contain a copy of the SpiderMonkey JavaScript engine. It is not feasible to backport security fixes to the mozjs* packages, as such, marking them as ignored. starting with Ubuntu 22.04, the firefox package is just a script that installs the Firefox snap starting with Ubuntu 24.04, the thunderbird package is just a script that installs the Thunderbird snap

CVE-2026-4689

Description

Status

Notes

mdeslaur

References

Other references

Access our resources on patching vulnerabilities