Description
Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Buffer overflow (memory corruption)
Action: Patch Software
AI Analysis

Impact

The CVE describes a buffer overflow in the NSS libraries, identified as CWE‑119 and CWE‑676. This flaw can corrupt memory and potentially allow an attacker to execute arbitrary code or cause other unintended behavior. The CVSS score of 5.3 classifies the risk as moderate.

Affected Systems

Mozilla Firefox and Thunderbird are affected. All releases prior to Firefox 150, ESR 115.35, and ESR 140.10, as well as all releases prior to Thunderbird 150 and 140.10 contain the vulnerability. The fixes were applied in the specified newer versions, so only earlier builds are vulnerable.

Risk and Exploitability

The CVSS score indicates a moderate severity, yet the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly described, but given the nature of the flaw it could be leveraged by an attacker through an NSS library exploit, potentially remotely if the library is used in network services. Overall, the risk level remains uncertain but should be considered moderate pending further information.

Generated by OpenCVE AI on April 22, 2026 at 15:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 150 or to one of the ESR releases 115.35 or 140.10 that contain the fix.
  • Upgrade Thunderbird to version 150 or to one of the ESR releases 115.35 or 140.10 that contain the fix.
  • Deploy the updated software across all impacted systems to ensure the vulnerability is eliminated.
  • Continue to monitor Mozilla security advisories for any changes to the advisory or additional patches.

Generated by OpenCVE AI on April 22, 2026 at 15:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-676
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10. Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Weaknesses CWE-119
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10.
Title Other issue in the Libraries component in NSS
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:35:01.012Z

Reserved: 2026-04-21T12:40:59.989Z

Link: CVE-2026-6767

cve-icon Vulnrichment

Updated: 2026-04-21T18:03:23.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:22.577

Modified: 2026-04-22T17:37:49.350

Link: CVE-2026-6767

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:41:00Z

Links: CVE-2026-6767 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses