Description
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A use‑after‑free flaw was discovered in the WebAssembly component of the JavaScript engine. The bug permits attackers to corrupt memory, potentially leading to arbitrary code execution within the browser context. This vulnerability compromises confidentiality, integrity, and availability by enabling an attacker to run malicious code on the victim’s system.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are affected. Both products contain the WebAssembly component in their JavaScript engines. The issue was addressed in version 150 of each product, meaning all earlier releases are vulnerable.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the KEV catalog, so no verified exploits are known at present. The path to exploitation would likely involve delivering malicious content to the browser, such as a crafted WebAssembly script, and then triggering the use‑after‑free condition. The CVSS score of 7.5 indicates high severity based on the ability to execute arbitrary code, but lack of an EPSS score means the likelihood of real‑world use is uncertain.

Generated by OpenCVE AI on April 22, 2026 at 05:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 150 or later
  • Update Mozilla Thunderbird to version 150 or later
  • Enable the browser’s auto‑update feature so that future patches are applied automatically
  • If an immediate update is not possible, use a security policy or extension to disable WebAssembly until the vulnerability is fixed

Generated by OpenCVE AI on April 22, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150. Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150.
Title Use-after-free in the JavaScript: WebAssembly component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:50.318Z

Reserved: 2026-04-21T12:40:53.328Z

Link: CVE-2026-6758

cve-icon Vulnrichment

Updated: 2026-04-21T17:47:48.694Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:21.770

Modified: 2026-04-22T00:16:31.697

Link: CVE-2026-6758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:00:09Z

Weaknesses