CVE-2026-6764

Medium

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0006 18.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation

addresses: CWE-119

Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.

SC-27 Platform-independent Applications

addresses: CWE-119

Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.

SI-16 Memory Protection

addresses: CWE-119

Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.

SI-4 System Monitoring

addresses: CWE-119

Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.

Security SummaryAI

CVE-2026-6764 is a vulnerability involving incorrect boundary conditions in the DOM: Device Interfaces component, classified under CWE-119. It affects Mozilla Firefox, Firefox ESR, and Thunderbird. The issue was addressed in Firefox version 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The vulnerability received a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, and impacts limited to low integrity and availability without confidentiality loss or scope change.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction. Successful exploitation allows limited disruption, such as minor integrity violations (e.g., data modification) or availability issues (e.g., denial of service), but does not enable data exfiltration or broader system compromise.

Mozilla's security advisories (MFSA2026-30 through MFSA2026-34) and the associated Bugzilla entry (bug 2022162) detail the fix applied in the specified versions. Security practitioners should ensure affected products are updated to these patched releases to mitigate the risk.

Details

CWE(s): CWE-119

Affected Products

mozilla

firefox

≤ 140.10.0 · ≤ 150.0

mozilla

thunderbird

140.0 — 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1189 Drive-by Compromise Initial Access

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.

attack.mitre.org →

Why these techniques?

Browser memory boundary flaw (CWE-119) with network trigger and low-integrity/availability impact directly supports application exploitation for DoS (T1499.004) and enables drive-by delivery via malicious web content (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2022162
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org