Description
Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

This vulnerability stems from uninitialized memory usage within the Audio/Video: Web Codecs component of Mozilla Firefox. The bug allows potentially reading memory that has not been set, which could expose sensitive data or crash the browser. The impact is therefore a possible information disclosure or application instability.

Affected Systems

The affected vendor is Mozilla, specifically the Firefox browser. The flaw exists in all versions prior to Firefox 150 and the earlier ESR releases before 140.10, where the Web Codecs API could access memory that was never initialized.

Risk and Exploitability

No publicly available CVSS score or EPSS value is provided, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw occurs in the Web Codecs API, it is most likely exploitable through malicious web content that leverages the codec functionality. No confirmed exploits exist, but the potential for data leakage warrants patching before any exploit is discovered. The attack vector is likely remote, delivered via web pages, but the specific feasibility remains uncertain.

Generated by OpenCVE AI on April 22, 2026 at 03:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 150 or later, or to Firefox ESR 140.10 or later, when available.
  • If upgrading is not immediately possible, disable the Web Codecs feature by setting the preference "media.webcodecs.enabled" to false in about:config or via policy.
  • Validate that any scripts or web applications using Web Codecs are updated to the latest APIs, which no longer expose uninitialized memory.

Generated by OpenCVE AI on April 22, 2026 at 03:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-788

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-457
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Uninitialized memory in the Audio/Video: Web Codecs component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:42.935Z

Reserved: 2026-04-21T12:40:47.871Z

Link: CVE-2026-6751

cve-icon Vulnrichment

Updated: 2026-04-21T18:58:22.833Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:21.163

Modified: 2026-04-22T00:16:30.783

Link: CVE-2026-6751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses