Description
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw (CWE‑416) is discovered in the WebAssembly component of the JavaScript engine; the bug leads to memory corruption (CWE‑825) that might allow arbitrary code execution within the browser context (inferred). This vulnerability could compromise confidentiality, integrity, and availability by allowing an attacker to run malicious code on the victim’s system.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Both products contain the WebAssembly component in their JavaScript engines. The issue was addressed in version 150 of each product, meaning all earlier releases are vulnerable.

Risk and Exploitability

The EPSS score of 0.00038 (less than 1%) indicates a very low exploitation probability, and the vulnerability is not listed in the KEV catalog, so no verified exploits are known at present. The path to exploitation would likely involve delivering malicious content to the browser, such as a crafted WebAssembly script, and then triggering the use‑after‑free condition (inferred). The CVSS score of 7.5 indicates high severity based on the ability to execute arbitrary code, but the low EPSS score means the likelihood of real‑world use is uncertain.

Generated by OpenCVE AI on April 27, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 150 or later
  • Update Mozilla Thunderbird to version 150 or later
  • Enable the browser’s auto‑update feature so that future patches are applied automatically
  • If an immediate update is not possible, use a security policy or extension to disable WebAssembly until the vulnerability is fixed

Generated by OpenCVE AI on April 27, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150. Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.
Title Use-after-free in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:06:33.849Z

Reserved: 2026-04-21T12:40:53.328Z

Link: CVE-2026-6758

cve-icon Vulnrichment

Updated: 2026-04-21T17:47:48.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:21.770

Modified: 2026-04-22T14:55:30.640

Link: CVE-2026-6758

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:53Z

Links: CVE-2026-6758 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:00:05Z

Weaknesses