CVE-2026-6780

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through patching to versions like Firefox/Thunderbird 150, directly eliminating the uncontrolled resource consumption vulnerability.

SC-5 Denial-of-service Protection good match

prevent

Provides architectural and technical protections specifically against denial-of-service attacks, including resource exhaustion from malformed audio/video inputs.

SC-6 Resource Availability good match

prevent

Ensures resource availability by monitoring and managing processor, memory, and other resources to mitigate excessive consumption triggered by malicious media playback.

Security SummaryAI

CVE-2026-6780 is a denial-of-service vulnerability in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it stems from CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue affects versions of Firefox and Thunderbird prior to 150, where malformed input to the playback component could trigger excessive resource usage.

A remote attacker can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. By crafting and delivering malicious audio or video content—such as via a web page, email attachment, or direct file handling—the attacker can cause the affected browser or mail client to consume significant resources, leading to application crashes, browser hangs, or system-wide denial of service with high availability impact but no effects on confidentiality or integrity.

Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry (bug 2025179) confirm the vulnerability was addressed in Firefox 150 and Thunderbird 150. Mitigation involves updating to these patched versions, with no additional workarounds specified.

Details

CWE(s): CWE-400

Affected Products

mozilla

firefox

≤ 150.0

mozilla

thunderbird

≤ 150.0

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact

Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.

attack.mitre.org →

Why these techniques?

The CVE describes a remote DoS via malformed audio/video input causing uncontrolled resource consumption (CWE-400) in the client application, directly enabling application exhaustion attacks that lead to crashes or unavailability.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2025179
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-33/
Vendor Advisory · security@mozilla.org