Description
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is a use‑after‑free in Firefox’s Widget: Cocoa component. The flaw allows an attacker to corrupt memory and potentially trigger undefined behavior, such as a program crash or arbitrary code execution. Affected releases were fixed in Firefox 150 and Firefox ESR 140.10.

Affected Systems

The flaw is found in Mozilla Firefox. All versions prior to Firefox 150 and to Firefox ESR 140.10 are vulnerable.

Risk and Exploitability

Because the CVSS score and EPSS are not available and the vulnerability is not listed in KEV, the exact severity and exploitation probability cannot be quantified from the public data. The likely attack vector involves exploiting the component from within the Firefox process, possibly via a crafted webpage or user interaction. No public proof‑of‑concept or exploitation details are disclosed, so the risk is considered to be high but unproven in the wild.

Generated by OpenCVE AI on April 22, 2026 at 03:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 150 or newer, or to Firefox ESR 140.10 or newer, to receive the fix for this use‑after‑free flaw.
  • If an upgrade cannot be performed immediately, consider disabling the Widget: Cocoa component or other widget APIs that are not required for your use case, to eliminate the vulnerability exposure.
  • Keep Firefox updated regularly and monitor Mozilla’s security advisories for any additional patches or guidance related to the Widget component.

Generated by OpenCVE AI on April 22, 2026 at 03:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Use-after-free in the Widget: Cocoa component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:51.428Z

Reserved: 2026-04-21T12:40:54.035Z

Link: CVE-2026-6759

cve-icon Vulnrichment

Updated: 2026-04-21T17:48:33.083Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T13:16:21.857

Modified: 2026-04-22T00:16:31.870

Link: CVE-2026-6759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses