CVE-2026-6776

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the vulnerability by requiring timely identification, testing, and deployment of patches for known flaws like the incorrect boundary conditions in WebRTC fixed in Firefox 150 and Thunderbird 150.

SI-16 Memory Protection partial match

prevent

Mitigates exploitation of CWE-119 buffer overflow vulnerabilities through memory protections such as non-executable memory regions and address space layout randomization in browser processes.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables detection of systems running vulnerable versions of Firefox, ESR, or Thunderbird affected by CVE-2026-6776 through periodic vulnerability scanning.

Security SummaryAI

CVE-2026-6776 involves incorrect boundary conditions, classified under CWE-119, in the WebRTC Networking component. This vulnerability affects Mozilla products including Firefox, Firefox ESR, and Thunderbird. It was addressed in the following releases: Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Local attackers can exploit it with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability.

Mozilla security advisories MFSA2026-30, MFSA2026-32, MFSA2026-33, and MFSA2026-34, along with Bugzilla entry 2021770, provide details on the issue and recommend updating to the fixed versions for mitigation.

Details

CWE(s): CWE-119

Affected Products

mozilla

firefox

≤ 140.10.0 · ≤ 150.0

mozilla

thunderbird

≤ 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Memory corruption vulnerability (CWE-119) in client application (Firefox/Thunderbird WebRTC component) with local attack vector, no privileges required, and user interaction, directly enabling arbitrary code execution via client-side exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2021770
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-32/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-34/
Vendor Advisory · security@mozilla.org