Description
Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution (inference)
Action: Immediate Patch
AI Analysis

Impact

Use‑after‑free in the WebRTC component allows memory corruption when a client processes malformed WebRTC packets, and the flaw is categorized as CWE‑416 and CWE‑825. Based on the nature of the memory corruption, it is inferred that an attacker could potentially cause arbitrary code execution or crash the browser. The vulnerability was addressed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Affected Systems

Mozilla Firefox installations running any version before the security fixes delivered in Firefox 150 and the ESR release 140.10 remain vulnerable; this includes all earlier consumer releases and older ESR branches such as 140.9 and prior. Mozilla Thunderbird installations running any version before the security fixes delivered in Thunderbird 150 and the ESR release 140.10 also remain vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5. EPSS information is not available, and the issue is not listed in CISA KEV. Based on the description, it is inferred that attackers would need to trigger a WebRTC session with crafted data, a scenario that could arise from malicious web content or compromised network traffic. Although no publicly available exploits are documented, the memory‑corruption nature of the flaw could potentially enable remote code execution, but this outcome is not confirmed.

Generated by OpenCVE AI on April 22, 2026 at 15:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Firefox release (150 or newer) or the ESR 140.10 patch to address the flaw.
  • Update to the latest Thunderbird release (150 or newer) or the ESR 140.10 patch to address the flaw.
  • If an immediate update is not feasible, disable WebRTC globally via browser settings or group policy to prevent the vulnerable code path from executing.

Generated by OpenCVE AI on April 22, 2026 at 15:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4546-1 firefox-esr security update
Debian DLA Debian DLA DLA-4549-1 thunderbird security update
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
Debian DSA Debian DSA DSA-6229-1 thunderbird security update
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Use-after-free in the WebRTC component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:08:13.152Z

Reserved: 2026-04-21T12:40:44.581Z

Link: CVE-2026-6747

cve-icon Vulnrichment

Updated: 2026-04-21T17:43:02.729Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:20.813

Modified: 2026-04-22T14:39:18.133

Link: CVE-2026-6747

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:40:45Z

Links: CVE-2026-6747 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses