CVE-2026-6785

High

Published: 26 April 2026

Published

26 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 20.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have…

been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, testing, and correction of flaws, directly requiring patches for the memory safety bugs in Firefox and Thunderbird as recommended by Mozilla.

SI-16 Memory Protection good match

prevent

Implements controls to protect system memory from unauthorized code execution, directly mitigating exploitation of memory corruption issues like out-of-bounds reads/writes and use-after-free.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Requires vulnerability scanning to identify presence of known issues like CVE-2026-6785 in deployed Firefox and Thunderbird versions, enabling proactive remediation.

Security SummaryAI

CVE-2026-6785 involves multiple memory safety bugs, including those mapped to CWE-125 (Out-of-bounds Read), CWE-416 (Use After Free), and CWE-787 (Out-of-bounds Write), present in Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, and Thunderbird 149. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Remote attackers require no privileges or user interaction to target systems over the network, though exploitation demands high attack complexity. Successful exploitation could enable arbitrary code execution, compromising confidentiality, integrity, and availability with high impact, as attackers could leverage the memory corruption for control over the affected browser or email client processes.

Mozilla's security advisories (MFSA 2026-30 through 2026-33) and associated Bugzilla entries detail the fixes, recommending immediate updates to Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, or Thunderbird ESR 140.10 to mitigate the issues. No additional workarounds are specified beyond applying these patches.

Details

CWE(s): CWE-125 CWE-416 CWE-787

Affected Products

mozilla

firefox

≤ 115.35.0 · ≤ 150.0 · 140.0 — 140.10.0

mozilla

thunderbird

140.0 — 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Memory corruption vulnerabilities enabling remote arbitrary code execution in client applications (browser/email client) without privileges or user interaction directly map to T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1