CVE-2026-6786

High

Published: 26 April 2026

Published

26 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149 and Thunderbird 149. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to…

run arbitrary code. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of software flaws like the memory safety bugs in Firefox and Thunderbird to prevent arbitrary code execution.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as ASLR and DEP that directly mitigate exploitation of memory corruption bugs including out-of-bounds read/write and use-after-free.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify systems running vulnerable versions of Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, or Thunderbird 149 affected by this CVE.

Security SummaryAI

CVE-2026-6786 encompasses multiple memory safety bugs affecting Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, and Thunderbird 149. These bugs, associated with CWE-125 (Out-of-bounds Read), CWE-416 (Use After Free), and CWE-787 (Out-of-bounds Write), showed evidence of memory corruption in some cases. Mozilla presumes that with sufficient effort, certain bugs could enable arbitrary code execution.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability. Remote attackers could potentially leverage these flaws to execute arbitrary code in the context of the affected browser or email client.

Mozilla's security advisories (MFSA 2026-30, 2026-32, 2026-33, and 2026-34) detail the fixes applied in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird ESR 140.10. Security practitioners should prioritize updating to these patched versions to mitigate the risks. Additional technical details are available in the linked Bugzilla entries.

Details

CWE(s): CWE-125 CWE-416 CWE-787

Affected Products

mozilla

firefox

≤ 150.0 · 140.0 — 140.10.0

mozilla

thunderbird

140.0 — 140.10.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

The CVE describes remote memory corruption vulnerabilities (CWE-125, CWE-416, CWE-787) in client applications (Firefox/Thunderbird) that can lead to arbitrary code execution with no user interaction required, directly enabling Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1