Description
Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The flaw originates from an uninitialized memory area within the Graphics: Canvas2D component, allowing data that should not be accessible to be read. This can expose sensitive information such as memory contents that may include cryptographic keys, credentials, or other confidential data. The vulnerability is an information‑disclosure issue and does not directly lead to code execution or denial of service.

Affected Systems

Mozilla Firefox users are impacted if their browsers are running a version prior to Firefox 150 or the ESR releases Firefox 115.35 or Firefox 140.10. The Canvas2D component exists in all these releases, and the patch that addresses the flaw is contained in the stated versions.

Risk and Exploitability

No EPSS score is published, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in CISA’s KEV catalogue. Based on the description, the likely attack vector is either a local user able to load or render arbitrary canvas content, or a remote attacker delivering a crafted HTML page that triggers the vulnerability in the browser’s rendering engine. The flaw would allow the attacker to read data that was never initialized, potentially leaking confidential information. The CVSS assessment is not available in the supplied data, so users should assume a high risk and treat the vulnerability as a critical confidentiality compromise.

Generated by OpenCVE AI on April 22, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 150 or newer, or to at least Firefox 115.35 or Firefox 140.10 on ESR‑based installations
  • If an upgrade is temporarily blocked, restrict the execution of untrusted or downloaded content that could render canvas data until a patch is applied

Generated by OpenCVE AI on April 22, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-788

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-908
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Information disclosure due to uninitialized memory in the Graphics: Canvas2D component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title Information disclosure due to uninitialized memory in the Graphics: Canvas2D component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:40.339Z

Reserved: 2026-04-21T12:40:46.464Z

Link: CVE-2026-6749

cve-icon Vulnrichment

Updated: 2026-04-21T17:44:28.519Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:20.993

Modified: 2026-04-22T00:16:30.390

Link: CVE-2026-6749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses