CVE-2026-6759
Published: 21 April 2026
Description
Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identifying, prioritizing, and applying patches for known flaws like this use-after-free vulnerability fixed in updated Firefox and Thunderbird versions.
Ensures receipt and dissemination of security advisories such as MFSA 2026-30 through 34, enabling timely awareness and patching for this CVE.
Mandates vulnerability scanning to identify systems running vulnerable versions of Firefox, ESR, or Thunderbird affected by this use-after-free.
Security SummaryAI
CVE-2026-6759 is a use-after-free vulnerability (CWE-416) in the Widget: Cocoa component of Mozilla products, specifically affecting Firefox, Firefox ESR, and Thunderbird. Published on 2026-04-21, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
The vulnerability can be exploited by remote attackers with no privileges or user interaction required, accessible over the network with low attack complexity. Exploitation results in a denial-of-service condition, such as application crashes, with no direct impact on confidentiality or integrity.
Mozilla's security advisories (MFSA 2026-30, MFSA 2026-32, MFSA 2026-33, and MFSA 2026-34), along with Bugzilla entry 2016164, confirm the issue was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. Mitigation requires updating to these patched versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free leads to application crashes enabling Endpoint Denial of Service via direct application exploitation.