Description
Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
Published: 2026-04-07
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via WebGPU
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper handling of boundary conditions within the Graphics: WebGPU component, creating an opportunity for memory corruption. The issue is classified as a buffer overflow and an out‑of‑bounds write, allowing an attacker who can introduce malicious WebGPU instructions to overwrite critical memory and potentially execute arbitrary code. The impact is severe, threatening the confidentiality, integrity, and availability of the affected system.

Affected Systems

The flaw affects Mozilla Firefox and Mozilla Thunderbird browsers running versions prior to 149.0.2. Any user running a vulnerable build of these applications is potentially exposed until they upgrade to the fixed releases.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a low expected exploitation probability, and it is not yet listed in CISA’s KEV catalog. Based on the nature of the flaw and its location in a web‑based graphics API, the attack vector is inferred to be remote, most likely through a malicious webpage or email that triggers the WebGPU component.

Generated by OpenCVE AI on April 13, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 149.0.2 or later
  • Update Mozilla Thunderbird to version 149.0.2 or later
  • If an immediate update is not possible, disable the WebGPU feature by setting the corresponding configuration option to false in the browser’s configuration page

Generated by OpenCVE AI on April 13, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 149.0.2 and Thunderbird < 149.0.2. Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
Vendors & Products Mozilla thunderbird

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 149.0.2. Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 149.0.2 and Thunderbird < 149.0.2.
First Time appeared Mozilla
Mozilla firefox
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
References

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability affects Firefox < 149.0.2.
Title Incorrect boundary conditions in the Graphics: WebGPU component
Weaknesses CWE-119
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:30.439Z

Reserved: 2026-04-07T12:43:13.392Z

Link: CVE-2026-5733

cve-icon Vulnrichment

Updated: 2026-04-07T14:33:08.217Z

cve-icon NVD

Status : Modified

Published: 2026-04-07T13:16:47.567

Modified: 2026-04-13T15:17:46.643

Link: CVE-2026-5733

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T12:43:13Z

Links: CVE-2026-5733 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:02Z

Weaknesses