CVE-2026-6757
Published: 21 April 2026
Description
Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Security SummaryAI
CVE-2026-6757 is an invalid pointer vulnerability (CWE-824) in the JavaScript WebAssembly component of Mozilla products. It affects Firefox versions prior to 150, Firefox ESR prior to 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The issue stems from an access of an uninitialized pointer, which can lead to memory corruption when processing malicious WebAssembly content.
The vulnerability has a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L), indicating that an unauthenticated remote attacker can exploit it over the network with low complexity but requires user interaction, such as visiting a malicious website or opening a crafted email in Thunderbird. Successful exploitation could result in limited impacts, including disclosure of sensitive information, minor modification of data, or partial denial of service due to application crashes or corruption.
Mozilla security advisories (MFSA 2026-30 through 2026-34) and the associated Bugzilla entry (bug 2013588) confirm the issue was addressed in the listed fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to mitigate the risk, as no workarounds are specified in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption in browser/Thunderbird WebAssembly enables drive-by compromise (T1189) via malicious sites, client-side exploitation for execution (T1203), and phishing delivery (T1566) through crafted emails/attachments.