CVE-2026-6767

Medium

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0005 14.7th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation

addresses: CWE-119

Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.

SC-27 Platform-independent Applications

addresses: CWE-119

Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.

SI-16 Memory Protection

addresses: CWE-119

Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.

SI-4 System Monitoring

addresses: CWE-119

Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.

Security SummaryAI

CVE-2026-6767 is an unspecified issue in the Libraries component of Network Security Services (NSS), a cryptographic library used by Mozilla products. The vulnerability, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), affects Firefox versions prior to 150, Firefox ESR prior to 115.35 and 140.10, Thunderbird prior to 150 and 140.10. It received a CVSS v3.1 base score of 5.3, indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, and unchanged scope.

An unauthenticated attacker on the network can exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation allows limited disclosure of confidential information, such as potentially sensitive data processed by NSS, but does not impact integrity or availability.

Mozilla security advisories (MFSA 2026-30 through 2026-33) and the associated Bugzilla entry confirm the issue was addressed in the listed fixed releases. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to the patched versions to mitigate the risk.

Details

CWE(s): CWE-119

Affected Products

mozilla

firefox

≤ 115.35.0 · ≤ 150.0 · 140.0 — 140.10.0

mozilla

thunderbird

140.0 — 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Remote memory buffer flaw in NSS enables unauthenticated network-based confidentiality attacks that directly disclose sensitive local data processed by the library (e.g., crypto material).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2023209
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-31/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org