CVE-2026-6781
Published: 21 April 2026
Description
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation ensures application of the Firefox 150 and Thunderbird 150 patches that directly fix the uncontrolled resource consumption in the Audio/Video Playback component.
Resource availability protections limit allocation of CPU/memory to system processes, directly mitigating CWE-400 uncontrolled resource consumption leading to DoS.
Denial-of-service protections at system entry/exit points block or limit remote unauthenticated attacks exploiting the A/V playback vulnerability to crash the browser.
Security SummaryAI
CVE-2026-6781 is a denial-of-service vulnerability in the Audio/Video Playback component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it affects versions of these browsers prior to 150 and is classified as CWE-400 (Uncontrolled Resource Consumption). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation leads to a denial-of-service condition, such as crashing the browser or rendering it unresponsive, without affecting confidentiality or integrity.
Mozilla's security advisories MFSA 2026-30 and MFSA 2026-33, along with Bugzilla entry 2025583, confirm the issue was addressed in Firefox 150 and Thunderbird 150. Security practitioners should prioritize updating affected systems to these versions for mitigation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The remote DoS vulnerability enables crashing or unresponsiveness in the client application via uncontrolled resource consumption, directly mapping to T1499.004 Application or System Exploitation.