Description
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The updated description confirms a denial‑of‑service vulnerability in the Audio/Video: Playback component. Maliciously crafted playback data can cause the browser or email client process to exhaust system resources, crash, or become unresponsive. The flaw is a classic resource exhaustion case where input is accepted without proper bounds checking, leading to repeated unstable operations and loss of availability for users attempting to play media content.

Affected Systems

Mozilla Firefox and Thunderbird are affected. Versions prior to 150 are susceptible, as the bug was fixed in Firefox 150 and Thunderbird 150.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity denial‑of‑service issue. EPSS data is not available and is not listed in CISA’s KEV catalog, so no public exploitation data is currently known. Although it does not provide code execution, this flaw can degrade availability and may be combined with other vulnerabilities to increase overall attack impact.

Generated by OpenCVE AI on April 22, 2026 at 13:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox and Thunderbird to version 150 or newer.
  • Avoid opening untrusted media files or email attachments until the client is updated.
  • Apply OS‑level or container resource limits to restrict media playback processes.

Generated by OpenCVE AI on April 22, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150. Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.
Title Denial-of-service in the Audio/Video: Playback component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T15:04:39.843Z

Reserved: 2026-04-21T12:41:10.075Z

Link: CVE-2026-6780

cve-icon Vulnrichment

Updated: 2026-04-21T17:54:44.033Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:23.683

Modified: 2026-04-22T15:08:52.070

Link: CVE-2026-6780

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T12:41:10Z

Links: CVE-2026-6780 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:45:18Z

Weaknesses