Description
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The flaw is an invalid pointer in the JavaScript WebAssembly component that can corrupt memory and potentially enable remote code execution. The description indicates that the bug might be triggered via WebAssembly, suggesting that crafted modules could cause the browser to execute arbitrary code. Based on the description, it is inferred that the impact includes the possibility of remote code execution.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Versions before Firefox 150 and Firefox ESR 140.10, and the corresponding Thunderbird releases before 150 and ESR 140.10, contain the vulnerability.

Risk and Exploitability

Because the flaw is an out‑of‑bounds write or use‑after‑free in the JavaScript engine, an attacker could potentially exploit the bug by delivering malicious WebAssembly code over the network. The CVSS score for this vulnerability is 6.3. Based on the description, the likely attack vector is sending crafted WebAssembly modules. The EPSS score of <1% (0.00018) indicates a very low exploitation probability, and the vulnerability is not listed in KEV, implying that no widespread exploitation has been reported yet, but the severe consequence of remote code execution justifies immediate patching.

Generated by OpenCVE AI on April 27, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 150 or later, or to Firefox ESR 140.10 or later if using the ESR branch.
  • Upgrade to Thunderbird 150 or later, or to Thunderbird ESR 140.10 or later if using the ESR branch.
  • If an upgrade cannot be performed immediately, disable WebAssembly in the browser or block untrusted WebAssembly code using extensions or enterprise policies.

Generated by OpenCVE AI on April 27, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4546-1 firefox-esr security update
Debian DLA Debian DLA DLA-4549-1 thunderbird security update
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
Debian DSA Debian DSA DSA-6229-1 thunderbird security update
History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-824
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-823
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

threat_severity

Moderate

Wed, 22 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-416

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
References

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Invalid pointer in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:35:04.751Z

Reserved: 2026-04-21T12:40:52.634Z

Link: CVE-2026-6757

cve-icon Vulnrichment

Updated: 2026-04-22T14:31:11.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:21.690

Modified: 2026-04-22T17:39:26.500

Link: CVE-2026-6757

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:52Z

Links: CVE-2026-6757 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:00:05Z

Weaknesses