Description
Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential memory corruption
Action: Immediate Upgrade
AI Analysis

Impact

The vulnerability arises from incorrect boundary conditions within the NSS Libraries component of Mozilla Firefox. The flaw can corrupt memory when processing certain inputs, potentially leading to undefined behavior or other security consequences. The official description does not explicitly state that this could result in code execution or privilege escalation, so the exact impact remains uncertain.

Affected Systems

All Mozilla Firefox releases prior to version 150 and Firefox ESR 140.10, as well as all Mozilla Thunderbird releases prior to version 150 and Thunderbird ESR 140.10, are affected.

Risk and Exploitability

Exploitation most likely involves malicious content or data handled by the browser, implying a remote attack vector from web pages or other user-supplied inputs. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but given the central role of NSS in cryptographic operations, the risk is high. The CVSS score of 7.5 indicates a high severity vulnerability. The absence of a known public exploit means the attack may still rely on crafted inputs, but the potential severity warrants immediate action.

Generated by OpenCVE AI on April 22, 2026 at 05:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Firefox to version 150, or Firefox ESR 140.10, or any later release that incorporates the NSS boundary fix.
  • Restart the browser to ensure the updated NSS libraries are loaded.
  • Monitor Mozilla security advisories and releases page for further updates or patches if an immediate upgrade is not feasible.

Generated by OpenCVE AI on April 22, 2026 at 05:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
References

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Libraries component in NSS. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Incorrect boundary conditions in the Libraries component in NSS
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:34:59.578Z

Reserved: 2026-04-21T12:40:59.297Z

Link: CVE-2026-6766

cve-icon Vulnrichment

Updated: 2026-04-21T16:38:30.259Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.493

Modified: 2026-04-22T14:57:46.330

Link: CVE-2026-6766

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:40:59Z

Links: CVE-2026-6766 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses