Description
Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.
Published: 2026-04-28
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Memory safety bugs were discovered in Mozilla Thunderbird 150.0.0 that caused memory corruption, and the proof‑of‑concept evidence suggests that with enough effort they could be leveraged to execute arbitrary code. The weakness is a classic buffer overrun scenario (CWE‑119) that can corrupt memory and potentially allow code execution if an attacker can deliver a crafted payload into the application.

Affected Systems

Both Mozilla Thunderbird and Mozilla Firefox version 150.0.0 are affected; the product updates to 150.0.1 contain the fix. The CVE does not list later minor releases, so any configuration using exactly 150.0.0 of either product requires remediation.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity vulnerability, while the EPSS score of less than 1% shows that exploit attempts are currently rare. The vulnerability is not presently listed in the CISA KEV catalog. An attacker would need to gain sufficient access to Thunderbird or Firefox in order to exploit the memory corruption, but if succeeded it would provide full arbitrary code execution on the host.

Generated by OpenCVE AI on May 2, 2026 at 00:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mozilla Thunderbird to version 150.0.1 or later
  • Update Mozilla Firefox to version 150.0.1 or later
  • Consult Mozilla security advisories for any additional guidance or future updates
  • Consider disabling or restricting extensions that interact with Thunderbird or Firefox to reduce indirect exploitation paths

Generated by OpenCVE AI on May 2, 2026 at 00:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 01 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*

Thu, 30 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1. Memory safety bugs present in Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1 and Thunderbird 150.0.1.
Title Memory safety bugs fixed in Firefox 150.0.1 Memory safety bugs fixed in Thunderbird 150.0.1
References

Thu, 30 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150.0.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1. Memory safety bugs present in Firefox 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1.
Title Memory safety bugs fixed in Firefox 150.0.1 and Thunderbird 150.0.1 Memory safety bugs fixed in Firefox 150.0.1

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla thunderbird
Weaknesses CWE-119
Vendors & Products Mozilla
Mozilla firefox
Mozilla thunderbird
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150.0.0 and Thunderbird 150.0.0. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.1.
Title Memory safety bugs fixed in Firefox 150.0.1 and Thunderbird 150.0.1
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-30T17:19:52.640Z

Reserved: 2026-04-28T13:42:18.908Z

Link: CVE-2026-7324

cve-icon Vulnrichment

Updated: 2026-04-28T15:26:49.257Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-28T15:16:37.950

Modified: 2026-05-01T15:27:50.190

Link: CVE-2026-7324

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-28T13:49:11Z

Links: CVE-2026-7324 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:45:30Z

Weaknesses