CVE-2026-6775

Medium

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0004 11.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SA-11 Developer Testing and Evaluation

addresses: CWE-119

Ongoing control assessments and code testing (static/dynamic analysis, fuzzing) surface memory buffer restriction failures, which are then remediated before release.

SC-27 Platform-independent Applications

addresses: CWE-119

Managed runtimes used by platform-independent applications (e.g., JVM, CLR) enforce memory safety, preventing most buffer overflows that require direct memory manipulation.

SI-16 Memory Protection

addresses: CWE-119

Memory protections (e.g., W^X, ASLR) make exploitation of buffer-boundary violations far harder to turn into code execution.

SI-4 System Monitoring

addresses: CWE-119

Detects exploitation attempts that produce memory corruption, crashes, or anomalous behavior.

Security SummaryAI

CVE-2026-6775 is a vulnerability involving incorrect boundary conditions in the WebRTC component, classified under CWE-119. It affects Mozilla Firefox and Thunderbird versions prior to 150, where the issue allows for improper handling of data boundaries. The vulnerability carries a CVSS v3.1 base score of 5.3, reflecting medium severity with network accessibility, low attack complexity, no required privileges or user interaction, unchanged scope, and low impact on confidentiality.

Remote, unauthenticated attackers can exploit this vulnerability over the network without user interaction. Successful exploitation enables limited disclosure of sensitive information, such as partial access to confidential data processed by the WebRTC component, though it does not impact integrity or availability.

Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry detail the fix implemented in Firefox 150 and Thunderbird 150. Security practitioners should prioritize updating affected instances to these versions to mitigate the issue.

Details

CWE(s): CWE-119

Affected Products

mozilla

firefox

≤ 150.0

mozilla

thunderbird

≤ 150.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Remote network exploitation of vulnerable WebRTC component in browser for partial info disclosure directly matches T1190; client-side nature and lack of code exec limit additional mappings.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2021768
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org