Mozilla released Firefox 149 on March 24, 2026, and the advisory that ships with it (MFSA 2026-20) lists 34 fixed vulnerabilities. Seventeen are rated high impact, sixteen moderate and two low. This is not a cosmetic round: some of the memory bugs showed evidence of corruption and, by Mozilla’s own assessment, could have been worked into arbitrary code execution.
What breaks
The standout in this batch is CVE-2026-4684, a race condition leading to a use-after-free in WebRender, the GPU-accelerated compositor Firefox uses to paint pages. When an object is freed while another thread still holds a reference to it, the browser can end up reading or writing memory it no longer owns. That class of bug is the classic raw material for chaining a sandbox escape and, from there, running code on the victim’s machine. It was reported by Oskar L.
Alongside it sit three “memory safety bugs” entries, the kind Mozilla bundles in most releases: CVE-2026-4720, CVE-2026-4721 and CVE-2026-4729. These collect security bugs found during development. Mozilla notes that some showed evidence of memory corruption and presumes that, with enough effort, a few could have been exploited to run code. The advisory also references sandbox escape flaws.
Who is affected
Anyone running Firefox on the desktop (Windows, macOS or Linux) on a build older than 149. Exploiting most of these issues only requires the user to visit a crafted web page, with no further interaction. As usual, that keeps the browser one of the most exposed attack surfaces on an otherwise well-configured Linux system.
Severity
Mozilla doesn’t flag this as one of its “critical, drop everything” releases, but 17 high-impact bugs, several with code-execution and sandbox-escape potential, leave little room to wait. Once the details of a use-after-free land in a public advisory, the gap between the patch and a working exploit tends to be short.
Mitigation
The answer is plain: update to Firefox 149. If you track the extended support release, Mozilla shipped fixes for a subset of these issues in Firefox ESR 140.9 and ESR 115.34, plus Thunderbird 149 and Thunderbird ESR 140.9. On most Linux distributions the update arrives through the package manager; check that your repository already serves 149 (or the matching ESR) and restart the browser so it loads the patched build. Firefox usually applies the update in the background, but the new binary does not take effect until you close and reopen it.