Description
Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

The vulnerability is an invalid pointer in the Audio/Video Playback component of Mozilla Firefox and Thunderbird. It is identified as CWE-476, CWE-824, and CWE-825. When triggered it can corrupt memory or cause application crashes.

Affected Systems

The affected vendor is Mozilla. The impacted products are Firefox and Thunderbird. Versions of Firefox or Thunderbird older than 150 contain the vulnerability, as the fix was applied in release 150. No specific sub‑releases are enumerated; any pre‑150 installation is at risk.

Risk and Exploitability

The CVSS score is 5.3, the EPSS score is not available, and it is not listed in the CISA KEV catalog. The likely attack vector, based on the description, is execution of malformed media that triggers the invalid pointer in the playback component. The vulnerability can lead to memory corruption, which may cause crashes or undefined behavior, but no evidence of arbitrary code execution is given in the CVE description.

Generated by OpenCVE AI on April 22, 2026 at 13:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 150 or later, which contains the memory corruption fix.
  • Upgrade Mozilla Thunderbird to version 150 or later, which contains the memory corruption fix.
  • If an immediate upgrade cannot be performed, disable or restrict automatic media playback from untrusted sources and consider using extensions that enforce strict sandboxing for media content.

Generated by OpenCVE AI on April 22, 2026 at 13:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150. Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Weaknesses CWE-416
CWE-476
CWE-824
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.
Title Invalid pointer in the Audio/Video: Playback component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-21T23:35:13.913Z

Reserved: 2026-04-21T12:41:08.788Z

Link: CVE-2026-6778

cve-icon Vulnrichment

Updated: 2026-04-21T17:25:48.321Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:23.513

Modified: 2026-04-22T16:05:45.480

Link: CVE-2026-6778

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:41:09Z

Links: CVE-2026-6778 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses