Description
Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability arises from incorrect boundary checks in the audio/video playback component, which permits an integer overflow during media processing. The overflow can corrupt internal memory and trigger application crashes, as noted by the official advisory. This leads to a loss of availability and potential integrity issues; no evidence of code execution is provided.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird builds before version 150 of each product are affected. The flaw was addressed in Firefox 150 and Thunderbird 150, so any earlier release remains vulnerable.

Risk and Exploitability

The CVSS score of 5.3 classifies the issue as medium severity. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating limited or no public exploitation to date. An attacker could exploit the integer overflow by supplying a crafted media file to the browser or email client, causing a crash and a denial of service, but no remote code execution vector is reported.

Generated by OpenCVE AI on April 22, 2026 at 07:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox and Thunderbird to version 150 or newer to apply the official fix.
  • If an upgrade cannot be performed immediately, disable or restrict playback of untrusted media—e.g., turn off autoplay or apply sandboxing to the media component.
  • Keep an eye on system logs for unexpected crashes and apply subsequent security updates promptly as they are released.

Generated by OpenCVE AI on April 22, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150. Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150.
Title Incorrect boundary conditions, integer overflow in the Audio/Video: Playback component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-27T17:11:33.086Z

Reserved: 2026-04-21T12:41:12.181Z

Link: CVE-2026-6783

cve-icon Vulnrichment

Updated: 2026-04-21T17:45:45.603Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T13:16:23.930

Modified: 2026-04-22T15:18:29.653

Link: CVE-2026-6783

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:41:12Z

Links: CVE-2026-6783 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses