CVE-2026-6761

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely identification, reporting, and correction of flaws such as CVE-2026-6761 through patching to eliminate the privilege escalation vulnerability.

AC-6 Least Privilege good match

prevent

Enforces least privilege on system components like the browser's networking process to directly counter improper privilege management and limit escalation impact.

AC-3 Access Enforcement partial match

prevent

Mandates enforcement of access control policies to prevent unauthorized privilege escalations triggered by exploitation of the networking component vulnerability.

Security SummaryAI

CVE-2026-6761 is a privilege escalation vulnerability in the Networking component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 150, Firefox ESR prior to 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The issue is classified under CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability with low complexity and no required privileges, but it necessitates user interaction, such as clicking a malicious link or opening a crafted resource. Successful exploitation enables privilege escalation within the affected browser or mail client, potentially allowing the attacker to gain high-level access to the user's system resources, execute arbitrary code, or compromise sensitive data.

Mozilla's security advisories (MFSA 2026-30, 32, 33, and 34) and the associated Bugzilla entry (bug 2017857) detail the patch releases that address the vulnerability. Security practitioners should prioritize updating to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10, as these versions include the necessary fixes to mitigate the privilege escalation risk.

Details

CWE(s): CWE-269

Affected Products

mozilla

firefox

≤ 140.10.0 · ≤ 150.0

mozilla

thunderbird

≤ 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

CVE describes a client-side privilege escalation vulnerability in browser/mail client (Firefox/Thunderbird) exploitable via malicious link/resource, directly mapping to T1068 (Exploitation for Privilege Escalation) and T1203 (Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2017857
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org