CVE-2026-6784

High

Published: 21 April 2026

Published

21 April 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was…

fixed in Firefox 150 and Thunderbird 150.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates identification, reporting, and timely patching of system flaws like the memory safety bugs in Firefox 149, fixed in version 150.

SI-16 Memory Protection good match

prevent

Implements security safeguards such as ASLR, DEP, and stack canaries to protect against unauthorized code execution from memory corruption vulnerabilities like out-of-bounds reads/writes and use-after-free.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify systems running vulnerable Firefox 149 or Thunderbird 149 versions exploitable for arbitrary code execution.

Security SummaryAI

CVE-2026-6784 involves multiple memory safety bugs in Firefox version 149 and Thunderbird version 149, classified under CWE-125 (Out-of-bounds Read), CWE-416 (Use After Free), and CWE-787 (Out-of-bounds Write). Some of these bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 7.5.

A remote attacker with no privileges required can exploit this over the network, though it demands high attack complexity and user interaction, such as clicking a malicious link or opening a crafted webpage or email. Successful exploitation could result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution within the affected browser or email client context.

Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) detail the fixes applied in Firefox 150 and Thunderbird 150, recommending immediate updates to mitigate the issues. Additional technical details are available in the associated Bugzilla entries.

Details

CWE(s): CWE-125 CWE-416 CWE-787

Affected Products

mozilla

firefox

≤ 150.0

mozilla

thunderbird

≤ 150.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

Why these techniques?

The CVE describes memory corruption vulnerabilities in client applications (Firefox/Thunderbird) enabling arbitrary code execution via malicious webpage or email content. This directly maps to T1203 (Exploitation for Client Execution) as the core exploitation vector and T1204.001 (Malicious Link) due to the required user interaction of clicking a crafted link or opening malicious content.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1