Skip to main content

Zen Browser CVE-2026-41431

| EUVDEUVD-2026-29119 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-05-11 GitHub_M
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
May 11, 2026 - 18:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 17:47 vuln.today
Analysis Generated
May 11, 2026 - 17:47 vuln.today
CVE Published
May 11, 2026 - 16:55 nvd
HIGH 8.0

DescriptionGitHub Advisory

Zen is a firefox-based browser. Prior to 1.19.9b, Zen Browser ships a Mozilla Application Resource (MAR) updater (org.mozilla.updater) that has had all MAR signature verification stripped from the Firefox codebase it was forked from. The MAR files served to users contain zero cryptographic signatures, and the updater binary contains zero cryptographic verification code. This eliminates the defense-in-depth that MAR signing provides. If the update server or GitHub release pipeline is compromised, arbitrary unsigned code can be delivered to all Zen users via the auto-update mechanism. This vulnerability is fixed in 1.19.9b.

AnalysisAI

Zen Browser's auto-update mechanism delivered unsigned code to all users due to deliberately removed MAR signature verification inherited from Firefox. The browser shipped with Mozilla's updater binary stripped of all cryptographic verification code and served update packages containing zero cryptographic signatures. Compromise of the update server or GitHub Actions pipeline allowed arbitrary code execution on all Zen installations without cryptographic chain-of-trust protection. Version 1.19.9b restores MAR signing with RSA-4096 keys and certificate verification in the updater binary.

Technical ContextAI

Mozilla Application Resource (MAR) files are Firefox's update package format, cryptographically signed using RSA keys embedded in the updater binary. Firefox's MAR verification uses NSS (Network Security Services) to validate signatures against public keys compiled into org.mozilla.updater. Zen Browser forked Firefox's codebase but removed all MAR signature verification code paths and shipped updates without signing infrastructure. The vulnerability stems from CWE-347 (Improper Verification of Cryptographic Signature) - the updater accepted any MAR file from the update server without cryptographic validation. The fix implements a complete signing pipeline: OpenSSL-generated RSA-4096 keypair, self-signed X.509 certificate for PKCS#12 bundling, public key (SPKI DER format) embedded in release_primary.der and release_secondary.der within the updater binary, NSS database initialization for signature operations, and GitHub Actions secrets (ZEN_MAR_SIGNING_PASSWORD, ZEN_SIGNING_CERT_PEM_BASE64, ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64) protecting the signing key. The build system now calls signmar utility during CI/CD to cryptographically sign all MAR files before distribution, and the updater verifies signatures against embedded public keys before applying updates.

RemediationAI

Update to Zen Browser 1.19.9b or later immediately. The fix commit (270db6d6713d2c6c14d9df0b4bc7662843d3d54e at https://github.com/zen-browser/desktop/commit/270db6d6713d2c6c14d9df0b4bc7662843d3d54e) restores MAR signing with RSA-4096 keys, implements signature verification in the updater binary (--enable-verify-mar in mozconfig), removes the --enable-unverified-updates flag, and integrates mar_sign.sh into the build pipeline. Users on vulnerable versions should verify the update was delivered via the official channel and consider the security posture of any system where Zen Browser auto-updated prior to 1.19.9b (treat as potentially compromised if the update server was ever untrusted). No workaround exists for versions prior to 1.19.9b - the updater binary itself lacks verification code, so disabling auto-update only prevents future compromise but does not validate already-applied updates. If unable to update immediately, uninstall Zen Browser and use an alternative browser until 1.19.9b can be installed from the official GitHub release page. Organizations should audit systems for Zen Browser installations and force-upgrade via deployment tools rather than relying on the insecure auto-update channel.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-41431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy