PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5734 Mozilla CVE debrief

CVE-2026-5734 is a critical vulnerability affecting multiple Mozilla products, including Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. The vulnerability is caused by memory safety bugs, some of which showed evidence of memory corruption. If exploited, these bugs could potentially allow attackers to run arbitrary code. The vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. Users are advised to update their software to the latest versions to mitigate this vulnerability.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-07
Original CVE updated
2026-06-30
Advisory published
2026-04-07
Advisory updated
2026-06-30

Who should care

This vulnerability affects users of Mozilla's Firefox ESR, Thunderbird ESR, Firefox, and Thunderbird products. Specifically, users of Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1 are at risk. Given the critical severity and potential for arbitrary code execution, administrators and users of these products should prioritize updating to the patched versions: Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Technical summary

CVE-2026-5734 is a critical vulnerability caused by multiple memory safety bugs in Mozilla products. These bugs were found in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. Some of these bugs demonstrated memory corruption, indicating a high risk of potential exploitation for arbitrary code execution. The CVSS score for this vulnerability is 9.8, classified as Critical. The vulnerability has been addressed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

Defensive priority

High. This critical vulnerability requires immediate attention due to its potential for arbitrary code execution. Updating to the patched versions is essential to mitigate the risk.

Recommended defensive actions

  • Update Firefox to version 149.0.2 or later.
  • Update Firefox ESR to version 140.9.1 or later.
  • Update Thunderbird to version 149.0.2 or later.
  • Update Thunderbird ESR to version 140.9.1 or later.
  • Ensure all users of affected products are informed and updated promptly.

Evidence notes

The CVE record and NVD detail provide comprehensive information about this vulnerability, including its critical severity, affected products, and patched versions. Mozilla's security advisories (MFSA2026-25, MFSA2026-27, MFSA2026-28, MFSA2026-29) offer detailed guidance on the vulnerability and mitigation steps. Red Hat errata (RHSA-2026:11805, RHSA-2026:11813, etc.) also address this vulnerability for Red Hat users.

Official resources

This article is AI-assisted and based on the supplied source corpus.