Description
Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
Published: 2026-04-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates from incorrect boundary checks in the Audio/Video component of Mozilla Firefox and Thunderbird, potentially allowing sensitive data to be read from memory. Identified as a buffer overrun weakness (CWE‑119) and an out‑of‑bounds read (CWE‑125), the description does not specify the exact exploitation method, but suggests that improperly handled boundaries in media decoding could leak confidential information.

Affected Systems

Mozilla Firefox installations with versions older than 150.0.1, Firefox ESR 140.10.1, or Firefox ESR 115.35.1, and Thunderbird installations with versions older than 150.0.1 or Thunderbird ESR 140.10.1, are impacted. The issue affects the media decoding code used by any enabled codec or plugin in those applications.

Risk and Exploitability

The CVSS score of 7.5 reflects a high impact. The vulnerability is not listed in the CISA KEV catalog. The EPSS score is below 1%, indicating a low probability of exploitation. The likely attack vector is inferred to involve delivery of malicious audio or video content to the browser during playback or download; this inference is based on the description of boundary conditions in the decoding process. Once triggered, the flaw may enable an attacker to read sensitive information from memory. Applying the official patch removes the risk.

Generated by OpenCVE AI on May 12, 2026 at 01:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Firefox to 150.0.1, ESR 140.10.1, or ESR 115.35.1, and Thunderbird to 150.0.1 or 140.10.1 to apply the fix
  • Regularly monitor Mozilla security advisories for any additional updates or exploitation incidents related to this flaw
  • Configure Firefox to disable auto‑play of media from untrusted or external sites until user initiates playback

Generated by OpenCVE AI on May 12, 2026 at 01:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4555-1 firefox-esr security update
Debian DLA Debian DLA DLA-4562-1 thunderbird security update
Debian DSA Debian DSA DSA-6236-1 firefox-esr security update
Debian DSA Debian DSA DSA-6242-1 thunderbird security update
History

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 01 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1. Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
References

Tue, 28 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1.
Title Information disclosure due to incorrect boundary conditions in the Audio/Video component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-30T17:19:50.682Z

Reserved: 2026-04-28T13:42:15.666Z

Link: CVE-2026-7320

cve-icon Vulnrichment

Updated: 2026-04-28T15:40:15.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T15:16:37.447

Modified: 2026-05-01T12:32:05.890

Link: CVE-2026-7320

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T13:49:08Z

Links: CVE-2026-7320 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T01:30:04Z

Weaknesses