Description
Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free potentially enabling arbitrary code execution
Action: Patch Now
AI Analysis

Impact

This vulnerability is a use‑after‑free condition located in the DOM core and HTML component of the Mozilla codebase. The flaw permits access to a memory object after it has been freed, which corresponds to CWE‑416 and CWE‑825. The potential impact is that an attacker could trigger the bug to execute arbitrary code in the context of the browser or mail client, compromising confidentiality, integrity, or availability of the affected system.

Affected Systems

Any installation of Mozilla Firefox or Thunderbird older than Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10 is vulnerable. The issue affects both standard and ESR builds, so users on any of the listed versions are at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity for a use‑after‑free bug in a mainstream browser. The EPSS score is less than 1%, so the likelihood of exploitation is very low, and the vulnerability is not included in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is the delivery of malicious content through a web page or embedded HTML that triggers the DOM bug during normal browsing or mail processing.

Generated by OpenCVE AI on April 28, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Mozilla Firefox or Thunderbird release that includes the fix (Firefox 150 or newer, Firefox ESR 115.35 or 140.10, Thunderbird 150 or newer, Thunderbird ESR 140.10).
  • Enable automatic updates or run the update utility regularly to ensure that the latest security fixes are applied without manual intervention.
  • If an upgrade cannot be performed immediately, mitigate the risk by disabling JavaScript execution or applying content‑safety restrictions for untrusted web pages and mail content until the official patch is deployed.

Generated by OpenCVE AI on April 28, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4546-1 firefox-esr security update
Debian DLA Debian DLA DLA-4549-1 thunderbird security update
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
Debian DSA Debian DSA DSA-6229-1 thunderbird security update
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:* cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*

Wed, 22 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title Use-after-free in the DOM: Core & HTML component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:08:34.207Z

Reserved: 2026-04-21T12:40:43.779Z

Link: CVE-2026-6746

cve-icon Vulnrichment

Updated: 2026-04-21T17:41:50.489Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:20.720

Modified: 2026-04-22T14:38:12.733

Link: CVE-2026-6746

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:40:44Z

Links: CVE-2026-6746 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses