Description
Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Published: 2026-04-21
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Memory safety bugs were identified in older releases of Firefox and Thunderbird that could corrupt memory. The impact is the potential to execute arbitrary code on the affected system, as indicated by the possibility of memory corruption leading to remote code execution. The vulnerabilities are mapped to common weaknesses involving buffer overflows and use‑after‑free errors, allowing an attacker to gain code execution rights.

Affected Systems

Mozilla Firefox and Thunderbird are affected when running ESR 140.9, Thunderbird ESR 140.9, Firefox 149, or Thunderbird 149. The fix is available in Firefox 150, Thunderbird 150, and the ESR 140.10 releases.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity, and although there is no EPSS data, the absence from CISA’s KEV catalog suggests it has not yet been widely exploited. Based on the description, the likely attack vector is through maliciously crafted web content or locally installed data that triggers the memory corruption. The risk is significant for systems that still run the vulnerable versions with unrestricted web or local file access.

Generated by OpenCVE AI on April 22, 2026 at 05:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Firefox ESR 140.10 or Firefox 150 update on all relevant systems.
  • Uninstall or disable legacy extensions that may trigger the affected code paths until the update is applied.
  • Apply enterprise browser policy to block execution of unsigned add-ons and restrict access to unmanaged content domains pending the update.

Generated by OpenCVE AI on April 22, 2026 at 05:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6225-1 firefox-esr security update
References
Link Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2010727%2C2019004%2C2019224%2C2019547%2C2020378%2C2022381%2C2022608%2C2022785%2C2023120%2C2023128%2C2023140%2C2023279%2C2023836%2C2023882%2C2023925%2C2023950%2C2023959%2C2023965%2C2024243%2C2024245%2C2024247%2C2024253%2C2024346%2C2024357%2C2024416%2C2024420%2C2024429%2C2024432%2C2024455%2C2024466%2C2024468%2C2024476%2C2024664%2C2024666%2C2024669%2C2024670%2C2024671%2C2024761%2C2024918%2C2025292%2C2025332%2C2025348%2C2025384%2C2025395%2C2025458%2C2025461%2C2025463%2C2025481%2C2025483%2C2025485%2C2025494%2C2025506%2C2025511%2C2025513%2C2025520%2C2026277%2C2026282%2C2026288%2C2026289%2C2026311%2C2026312%2C2026869%2C2027152%2C2027161%2C2027238%2C2027261%2C2027269%2C2027274%2C2027280%2C2027281%2C2027300%2C2027302%2C2027331%2C2027339%2C2027340%2C2027738%2C2027975%2C2028000%2C2028011%2C2028289%2C2028525%2C2028728%2C2028887%2C2028888%2C2028896%2C2029063%2C2029064%2C2029290%2C2029291%2C2029294%2C2029300%2C2029304%2C2029316%2C2029317%2C2029401%2C2029415%2C2029430%2C2029457%2C2029727%2C2029735%2C2029743%2C2029752%2C2029754%2C2029776%2C2029809%2C2030324%2C2030370 cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-6786 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-6786 cve-icon
https://www.mozilla.org/security/advisories/mfsa2026-30/ cve-icon
https://www.mozilla.org/security/advisories/mfsa2026-32/ cve-icon
https://www.mozilla.org/security/advisories/mfsa2026-32/#CVE-2026-6786 cve-icon
https://www.mozilla.org/security/advisories/mfsa2026-33/ cve-icon
https://www.mozilla.org/security/advisories/mfsa2026-34/ cve-icon
History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10. Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
References

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CWE-416
CWE-787
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150 and Firefox ESR 140.10.
Title Memory safety bugs fixed in Firefox ESR 140.10, Thunderbird ESR 140.10, Firefox 150 and Thunderbird 150
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-22T03:56:13.131Z

Reserved: 2026-04-21T12:41:14.326Z

Link: CVE-2026-6786

cve-icon Vulnrichment

Updated: 2026-04-21T13:35:17.545Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T12:41:14Z

Links: CVE-2026-6786 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses