PatchSiren cyber security CVE debrief
CVE-2026-5731 Mozilla CVE debrief
CVE-2026-5731 is a critical vulnerability affecting multiple Mozilla products, including Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. The vulnerability is caused by memory safety bugs, some of which showed evidence of memory corruption. If exploited, these bugs could potentially allow attackers to run arbitrary code. The vulnerability was fixed in Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. Users are advised to update their software to the latest versions to mitigate this vulnerability.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-07
- Advisory updated
- 2026-06-30
Who should care
This vulnerability affects users of Mozilla's Firefox ESR, Thunderbird ESR, and Firefox products. Specifically, users of Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1 are at risk. Given the critical severity and potential for arbitrary code execution, administrators and users of these products should prioritize patching.
Technical summary
The CVE-2026-5731 vulnerability is caused by multiple memory safety bugs in Mozilla products. These bugs were found in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. Some of these bugs demonstrated memory corruption, indicating a high risk of potential exploitation for arbitrary code execution. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 9.8, indicating a critical severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting the vulnerability's high impact on confidentiality, integrity, and availability.
Defensive priority
Given the critical severity of CVE-2026-5731 and its potential for arbitrary code execution, patching affected systems should be prioritized. Administrators should ensure that Firefox ESR, Thunderbird ESR, and Firefox are updated to their latest versions: Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.
Recommended defensive actions
- Update Firefox to version 149.0.2 or later.
- Update Firefox ESR to version 115.34.1 or later.
- Update Firefox ESR to version 140.9.1 or later.
- Update Thunderbird to version 149.0.2 or later.
- Update Thunderbird ESR to version 140.9.1 or later.
Evidence notes
The CVE-2026-5731 vulnerability was publicly disclosed on April 7, 2026, and last modified on June 30, 2026. The vulnerability was fixed in various Mozilla products, including Firefox, Firefox ESR, and Thunderbird. Multiple references, including vendor advisories and bug reports, are available for further information.
Official resources
-
CVE-2026-5731 CVE record
CVE.org
-
CVE-2026-5731 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Broken Link
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.