CVE-2026-6748

Critical

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-6748 by requiring timely installation of vendor patches to fix the uninitialized memory vulnerability in Firefox and Thunderbird Web Codecs.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms like ASLR and DEP that reduce the exploitability of uninitialized memory disclosures and corruption in the Web Codecs component.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables scanning to identify systems running vulnerable versions of Firefox or Thunderbird affected by this uninitialized memory issue, facilitating remediation.

Security SummaryAI

CVE-2026-6748 is an uninitialized memory vulnerability, classified under CWE-457, in the Audio/Video: Web Codecs component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 150, Firefox ESR prior to 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. Published on 2026-04-21, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical severity due to its potential for severe impacts.

The vulnerability enables exploitation by a remote attacker over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation can result in high confidentiality, integrity, and availability impacts on the affected system.

Mozilla advisories MFSA2026-30, MFSA2026-32, MFSA2026-33, and MFSA2026-34 document the patch, confirming fixes in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. Additional technical details are available in Bugzilla entry 2022604. Security practitioners should prioritize updating to these versions to mitigate the risk.

Details

CWE(s): CWE-457

Affected Products

mozilla

firefox

≤ 140.10.0 · ≤ 150.0

mozilla

thunderbird

≤ 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Uninitialized memory vulnerability (CWE-457) in Firefox/Thunderbird web codecs component enables remote code execution in a client application with no privileges or user interaction required, directly mapping to Exploitation for Client Execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2022604
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org