CVE-2026-6746

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0006 19.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and correction of flaws like this use-after-free vulnerability through patching to fixed Firefox and Thunderbird versions.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and DEP that mitigate exploitation of the DOM use-after-free, reducing crash likelihood even if unpatched.

SC-5 Denial-of-service Protection partial match

prevent

Provides denial-of-service protections to maintain browser availability against remote exploitation attempts causing crashes via this vulnerability.

Security SummaryAI

CVE-2026-6746 is a use-after-free vulnerability (CWE-416) in the DOM: Core & HTML component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 150, Firefox ESR prior to 115.35 and 140.10, Thunderbird prior to 150 and 140.10. The issue was publicly disclosed on April 21, 2026, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its potential for denial-of-service impact.

Remote attackers can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. Successful exploitation leads to a crash of the affected browser or mail client, resulting in high availability impact but no direct compromise of confidentiality or integrity.

Mozilla's security advisories (MFSA 2026-30 through 2026-33) and the associated Bugzilla entry (bug 2014596) detail the patch, recommending immediate upgrades to Firefox 150, Firefox ESR 115.35 or 140.10, Thunderbird 150, or Thunderbird 140.10 to mitigate the issue. No workarounds are specified in the provided references.

Details

CWE(s): CWE-416

Affected Products

mozilla

firefox

≤ 115.35.0 · ≤ 150.0 · 140.0 — 140.10.0

mozilla

thunderbird

≤ 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The vulnerability is a use-after-free in Firefox/Thunderbird DOM leading to client crash with high availability impact and no C/I compromise, directly matching T1499.004 (Application or System Exploitation) for endpoint DoS via exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014596
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-31/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org