Cyber Posture

CVE-2026-6763

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0006 17.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-25 Reference Monitor
addresses: CWE-693

Implements a reliable, tamperproof protection mechanism whose completeness can be assured.

AT-1 Policy and Procedures
addresses: CWE-693

Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.

CA-1 Policy and Procedures
addresses: CWE-693

Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.

CA-2 Control Assessments
addresses: CWE-693

Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.

CA-4 Security Certification
addresses: CWE-693

Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.

CA-5 Plan of Action and Milestones
addresses: CWE-693

The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.

CA-7 Continuous Monitoring
addresses: CWE-693

Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.

CM-4 Impact Analyses
addresses: CWE-693

Impact analysis identifies changes that could weaken or disable existing protection mechanisms.

Security SummaryAI

CVE-2026-6763 is a mitigation bypass vulnerability in the File Handling component of Mozilla products, specifically affecting Firefox versions prior to 150, Firefox ESR versions prior to 140.10, Thunderbird versions prior to 150, and Thunderbird versions prior to 140.10. Published on 2026-04-21, it carries a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) and is associated with CWE-693 (Protection Mechanism Failure).

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation enables limited impacts on confidentiality and integrity, allowing attackers to bypass mitigations in the File Handling component.

Mozilla security advisories (MFSA2026-30 through MFSA2026-34) and the associated Bugzilla entry detail the patch, recommending immediate upgrades to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10 to mitigate the issue.

Details

CWE(s)
CWE-693

Affected Products

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
140.0 — 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Bypass of file handling mitigations in browser/email client enables remote exploitation for drive-by compromise and client execution without user interaction.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References