Description
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from a buffer overflow (CWE‑119) caused by incorrect boundary conditions in the WebRTC component. It also involves unsafe buffer access (CWE‑787) that can lead to memory corruption. Crafted data can exceed expected limits, resulting in process crashes that can deny service to users. No information indicates that the flaw leads to arbitrary code execution, but repeated crashes could facilitate broader denial of service attacks or provide a foothold for attackers to trigger additional vulnerabilities if exploited in a chained manner.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird versions earlier than 150 are affected; the fix was implemented in those products starting with version 150.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, while the EPSS score is not available, so the precise likelihood of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog and no public exploits have been reported. The likely attack vector is via crafted WebRTC packets sent over the network; this inference is based on the component affected. Given the absence of active exploits and the moderate CVSS score, the overall risk remains low to moderate, but the potential for service disruption warrants timely remediation.

Generated by OpenCVE AI on April 22, 2026 at 13:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Mozilla Firefox and Mozilla Thunderbird, which addresses the buffer overflow (CWE‑119) in the WebRTC component.
  • If upgrading is not immediately possible, disable the WebRTC feature in the browser settings or use an extension to block WebRTC, thereby reducing exposure to crafted media streams.
  • Continuously monitor application crash logs and network traffic for anomalous WebRTC packets indicating potential exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150. Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Weaknesses CWE-119
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150.
Title Incorrect boundary conditions in the WebRTC component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-27T16:54:59.993Z

Reserved: 2026-04-21T12:41:06.557Z

Link: CVE-2026-6775

cve-icon Vulnrichment

Updated: 2026-04-21T18:00:07.911Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:23.260

Modified: 2026-04-22T15:17:55.843

Link: CVE-2026-6775

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:41:06Z

Links: CVE-2026-6775 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses