Description
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
Published: 2026-04-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Memory corruption bugs were present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs could, with sufficient effort, allow an attacker to execute arbitrary code. The result would compromise confidentiality, integrity, and availability, posing a remote code execution risk. This is a typical out‑of‑bounds write flaw (CWE‑787).

Affected Systems

Mozilla’s Firefox and Thunderbird browsers were affected, specifically version 149.0.1 of each product. The bug was fixed in version 149.0.2 and later releases, so users with earlier versions remain at risk.

Risk and Exploitability

The vulnerability has a high severity CVSS score of 8.1, but an EPSS score below 1 % suggests that widespread exploitation is unlikely at present. The vulnerability is not listed in the NIST Known Exploited Vulnerabilities catalog. Based on the description, the attack vector appears to involve exploitation of user‑supplied content processed by the browser or email client, requiring advanced techniques to achieve code execution.

Generated by OpenCVE AI on April 13, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to 149.0.2 or newer to receive the fix for the memory corruption bugs.
  • Upgrade Thunderbird to 149.0.2 or newer for the same reason.
  • If an update cannot be performed immediately, keep the software updated to the latest patch level and monitor security advisories for any new information.

Generated by OpenCVE AI on April 13, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2 and Thunderbird < 149.0.2. Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2. Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2 and Thunderbird < 149.0.2.
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Weaknesses CWE-787
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2.
Title Memory safety bugs fixed in Firefox 149.0.2 and Thunderbird 149.0.2
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:36.700Z

Reserved: 2026-04-07T12:43:15.436Z

Link: CVE-2026-5735

cve-icon Vulnrichment

Updated: 2026-04-13T13:20:55.188Z

cve-icon NVD

Status : Modified

Published: 2026-04-07T13:16:47.763

Modified: 2026-04-13T15:17:47.010

Link: CVE-2026-5735

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-07T12:43:15Z

Links: CVE-2026-5735 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:00Z

Weaknesses