Description
Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

This vulnerability arises from incorrect boundary checks within the Device Interfaces component of Firefox’s DOM implementation. The flaw can lead to memory corruption when an attacker provides crafted data that manipulates device interfaces. While the CVE description does not explicitly state the exploitation outcome, such memory corruption could, in principle, result in loss of confidentiality, integrity, or availability.

Affected Systems

Mozilla Firefox and Thunderbird versions earlier than 150, as well as the ESR 140.10 line, are affected. Users should verify that their installations are not older than these patched releases.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium severity, but the EPSS score is not available, so the likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog. The lack of a published EPSS value means the risk cannot be precisely measured; however the documented memory corruption potential and medium severity suggest a noteworthy concern. The attack vector is likely local or remote via crafted DOM manipulation, although the exact method is not detailed in the vendor advisory.

Generated by OpenCVE AI on April 22, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 150 or newer, or to Firefox ESR 140.10 or newer, and to Thunderbird 150 or newer, or to Thunderbird ESR 140.10 or newer.
  • If an upgrade cannot be performed immediately, block or disable the Device Interfaces feature via browser settings or a dedicated extension that limits device access.
  • Enable automatic updates to ensure that subsequent security fixes are installed without delay.

Generated by OpenCVE AI on April 22, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-805
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-119
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Incorrect boundary conditions in the DOM: Device Interfaces component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:57.148Z

Reserved: 2026-04-21T12:40:57.986Z

Link: CVE-2026-6764

cve-icon Vulnrichment

Updated: 2026-04-21T20:09:40.470Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.313

Modified: 2026-04-22T16:07:49.670

Link: CVE-2026-6764

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:58Z

Links: CVE-2026-6764 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses