CVE-2026-6750

High

Published: 21 April 2026

Published

21 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.7th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the privilege escalation vulnerability by requiring timely remediation through patching affected Firefox and Thunderbird versions to the fixed releases.

AC-6 Least Privilege good match

prevent

Addresses the core CWE-269 improper privilege management by enforcing least privilege for processes in the WebRender component, preventing unauthorized elevation.

SC-39 Process Isolation good match

prevent

Process isolation in browser architectures confines WebRender to sandboxed processes, blocking privilege escalation from maliciously crafted graphics content.

Security SummaryAI

CVE-2026-6750 is a privilege escalation vulnerability (CWE-269: Improper Privilege Management) in the Graphics: WebRender component of Mozilla products. It affects Firefox versions prior to 150, Firefox ESR prior to 115.35 and 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The vulnerability was published on 2026-04-21 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers require no privileges but must trick users into some interaction, such as visiting a malicious site or processing crafted content. Low attack complexity enables exploitation over the network, potentially granting elevated privileges within the affected browser or application, resulting in high impacts to confidentiality, integrity, and availability.

Mozilla Security Advisories (MFSA 2026-30, 2026-31, 2026-32, and 2026-33) and Bugzilla entry 2023407 detail the fix applied in the listed versions. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to mitigate this issue.

Details

CWE(s): CWE-269

Affected Products

mozilla

firefox

≤ 115.35.0 · ≤ 150.0 · 140.0 — 140.10.0

mozilla

thunderbird

≤ 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Client-side privilege escalation vulnerability in browser rendering component directly enables exploitation for privilege escalation (T1068) and client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2023407
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-31/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org