Description
Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a use‑after‑free flaw in the JavaScript Engine component of Mozilla Firefox and Thunderbird. This type of memory corruption can allow an attacker to execute arbitrary code, potentially compromising confidentiality, integrity, and availability of the affected system. The flaw’s nature suggests severe consequences if exploited. The issue was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. The vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10, indicating that all earlier releases before those versions are vulnerable. The affected products include the Mozilla Firefox browser and the Mozilla Thunderbird email client.

Risk and Exploitability

The CVSS score is 7.5, EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating there is no public record of current exploitation for this issue. Nonetheless, this use‑after‑free (CWE-416) and arbitrary program control (CWE-825) flaw in web browsers and email clients is high‑risk due to its ability to enable arbitrary code execution, especially when enabled scripts or content come from untrusted sources. The lack of publicly available exploit metrics does not reduce the potential impact; it merely reflects that the vulnerability is not yet observed in the wild.

Generated by OpenCVE AI on April 22, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑supplied patch by upgrading to Firefox 150, Firefox ESR 115.35, or Firefox ESR 140.10, which addresses the use‑after‑free (CWE-416) and arbitrary program control (CWE-825) weaknesses.
  • Apply a vendor‑supplied patch for Thunderbird by upgrading to Thunderbird 150, Thunderbird 140.10, or the latest ESR release, which similarly fixes the CWE-416 and CWE-825 vulnerabilities.
  • Deploy monitoring tools to detect abnormal memory activity or crashes that may indicate exploitation attempts of these weaknesses.

Generated by OpenCVE AI on April 22, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4546-1 firefox-esr security update
Debian DLA Debian DLA DLA-4549-1 thunderbird security update
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
Debian DSA Debian DSA DSA-6229-1 thunderbird security update
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title Use-after-free in the JavaScript Engine component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:06:53.853Z

Reserved: 2026-04-21T12:40:50.251Z

Link: CVE-2026-6754

cve-icon Vulnrichment

Updated: 2026-04-21T17:46:59.219Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:21.420

Modified: 2026-04-22T14:53:48.573

Link: CVE-2026-6754

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:40:50Z

Links: CVE-2026-6754 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:00:18Z

Weaknesses