Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the JavaScript Engine component of Mozilla Firefox. This type of memory corruption can allow an attacker to execute arbitrary code, potentially compromising confidentiality, integrity, and availability of the affected system. No further details about the specific attack path are provided, but the flaw’s nature suggests severe consequences if exploited.

Affected Systems

Mozilla Firefox is affected. The vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10, implying that all earlier releases before those version numbers are vulnerable. The list of products is limited to the Mozilla Firefox browser; no other vendors or products are mentioned.

Risk and Exploitability

The CVSS score is not disclosed, and the EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog, indicating there is no public record of current exploitation for this issue. Nonetheless, use‑after‑free vulnerabilities in web browsers are high‑risk due to their ability to enable arbitrary code execution, especially when enabled scripts come from untrusted web content. The lack of publicly available exploit metrics does not reduce the potential impact; it merely reflects that the vulnerability is not yet observed in the wild.

Generated by OpenCVE AI on April 21, 2026 at 23:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch by upgrading to Firefox 150, Firefox ESR 115.35, or Firefox ESR 140.10.
  • For environments unable to update immediately, restrict or disable JavaScript execution on untrusted sites to reduce the attack surface.
  • Deploy monitoring tools to detect abnormal memory activity or crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on April 21, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title Use-after-free in the JavaScript Engine component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:46.471Z

Reserved: 2026-04-21T12:40:50.251Z

Link: CVE-2026-6754

cve-icon Vulnrichment

Updated: 2026-04-21T17:46:59.219Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:21.420

Modified: 2026-04-22T00:16:31.210

Link: CVE-2026-6754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:15:03Z

Weaknesses