Description
Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free bug was identified in Firefox’s WebRTC component. When a client processes malformed WebRTC packets, the flaw can corrupt memory and potentially allow an attacker to execute arbitrary code or crash the browser. The official description does not disclose specific exploitation techniques, but the typical attack vector would involve a malicious WebRTC session, either initiated from a compromised web page or injected over the network.

Affected Systems

Mozilla Firefox installations running any version before the security fixes delivered in Firefox 150 and the ESR release 140.10 remain vulnerable; this includes all earlier consumer releases and older ESR branches such as 140.9 and prior.

Risk and Exploitability

The lack of published CVSS or EPSS scores does not diminish the severity of a memory‑corruption vulnerability; the potential for remote code execution is substantial. No CISA KEV listing is reported, but the absence of publicly available exploits does not reduce the risk. Attackers would need to trigger a WebRTC session with crafted data to exploit the flaw, a scenario that could arise from malicious web content or compromised network traffic.

Generated by OpenCVE AI on April 21, 2026 at 23:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to the latest stable release or to ESR 140.10 or newer to receive the fix for the WebRTC use‑after‑free issue.
  • If an immediate upgrade is not feasible, temporarily disable WebRTC by setting the configuration option media.peerconnection.enabled to false in about:config or use a browser extension that blocks WebRTC traffic.
  • Monitor system logs for crashes or abnormal memory activity associated with WebRTC events, and ensure any future security updates are applied promptly.

Generated by OpenCVE AI on April 21, 2026 at 23:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Use-after-free in the WebRTC component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:38.193Z

Reserved: 2026-04-21T12:40:44.581Z

Link: CVE-2026-6747

cve-icon Vulnrichment

Updated: 2026-04-21T17:43:02.729Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:20.813

Modified: 2026-04-22T00:16:30.013

Link: CVE-2026-6747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:15:03Z

Weaknesses