Cyber Posture

CVE-2026-6778

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0004 13.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Security SummaryAI

CVE-2026-6778 is an invalid pointer vulnerability (CWE-476, CWE-824) in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). The issue was addressed in Firefox 150 and Thunderbird 150.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction or privileges. Successful exploitation results in a low-impact denial of service, such as application crashes affecting availability.

Mozilla's security advisories MFSA2026-30 and MFSA2026-33 provide details on the vulnerability and patches, recommending upgrades to Firefox 150 or Thunderbird 150. Further technical information is available in Bugzilla ticket 2022746.

Details

CWE(s)
CWE-476CWE-824

Affected Products

mozilla
firefox
≤ 150.0
mozilla
thunderbird
≤ 150.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Invalid pointer dereference in browser media playback directly enables application crash via exploitation, matching T1499.004 Endpoint Denial of Service (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References