CVE-2026-6751

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0006 18.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely identification, reporting, and correction of flaws like the uninitialized memory in Web Codecs directly prevents exploitation of CVE-2026-6751 through patching to fixed versions.

SI-16 Memory Protection good match

prevent

Memory protection mechanisms such as ASLR, DEP, and stack canaries comprehensively mitigate exploitation of uninitialized memory vulnerabilities like CVE-2026-6751 by disrupting reliable memory corruption attacks.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Vulnerability monitoring and scanning detects deployed systems vulnerable to CVE-2026-6751, enabling proactive remediation before exploitation.

Security SummaryAI

CVE-2026-6751 is an uninitialized memory vulnerability (CWE-457) in the Audio/Video: Web Codecs component of Mozilla Firefox and Thunderbird products. It affects versions prior to Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The issue was publicly disclosed on 2026-04-21 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.

Remote attackers can exploit this vulnerability without authentication or user interaction by targeting the Web Codecs API, potentially leading to limited disclosure of sensitive information, minor integrity modifications, or partial denial of service through memory corruption. The unchanged scope suggests impacts remain within the affected browser process.

Mozilla's security advisories (MFSA 2026-30 through 2026-34) and the associated Bugzilla entry detail the fix applied in the specified versions, recommending immediate upgrades to patched releases for mitigation. No workarounds are mentioned in the provided references.

Details

CWE(s): CWE-457

Affected Products

mozilla

firefox

≤ 140.10.0 · ≤ 150.0

mozilla

thunderbird

140.0 — 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Client-side memory corruption in browser Web Codecs API enables remote exploitation via web content for drive-by compromise (T1189) and client application execution (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2025883
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org