Description
Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Immediate Patch
AI Analysis

Impact

Based on the CVE description, the vulnerability stems from incorrect boundary checking in the WebRTC networking component, which can lead to memory corruption. It is classified as CWE‑119 and CWE‑131. It is inferred that successful exploitation could potentially compromise the integrity of the browser process.

Affected Systems

Mozilla Firefox and Thunderbird browsers are affected when they use the vulnerable WebRTC module. It is inferred that all releases prior to Firefox 150 / ESR 140.10 and Thunderbird 150 / 140.10 remain exposed. Any third‑party software that embeds the same WebRTC networking code without the patch is also at risk.

Risk and Exploitability

The CVSS score of 7.8 places the vulnerability in the high‑severity range. No EPSS score is available and the issue is not listed in the CISA KEV catalog. It is inferred that the flaw can be triggered by network traffic that reaches the WebRTC component, meaning a malicious web page or remote host could send crafted data to the victim. Successful exploitation would threaten the integrity of the affected process.

Generated by OpenCVE AI on April 22, 2026 at 13:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 150 or later, or to the ESR 140.10 release, and upgrade Mozilla Thunderbird to version 150 or the ESR 140.10 release, both of which include the fixed WebRTC networking code.
  • If an upgrade is not immediately possible, temporarily disable WebRTC by setting media.peerconnection.enabled to false in the about:config settings to prevent peer‑to‑peer connections from being established.
  • Apply network‑level controls to block or monitor the ports and protocols typically used by WebRTC, and keep track of any applications that rely on older WebRTC components for potential updates.

Generated by OpenCVE AI on April 22, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
References

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Incorrect boundary conditions in the WebRTC: Networking component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:35:11.711Z

Reserved: 2026-04-21T12:41:07.296Z

Link: CVE-2026-6776

cve-icon Vulnrichment

Updated: 2026-04-21T13:49:48.407Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:23.350

Modified: 2026-04-22T15:07:55.830

Link: CVE-2026-6776

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-21T12:41:07Z

Links: CVE-2026-6776 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses