CVE-2026-5735 Mozilla CVE debrief

Who should care

Administrators and users running Firefox or Thunderbird 149.0.1, especially in environments where browser or email-client compromise would have high impact. Security teams managing endpoint patching should prioritize this update immediately.

Technical summary

NVD classifies the flaw as a memory safety issue with CWE-787 as the primary weakness and CWE-125/CWE-787 as secondary references. The published description notes evidence of memory corruption and a presumption of possible arbitrary code execution with sufficient effort. NVD lists affected Mozilla products as Firefox and Thunderbird versions prior to 149.0.2, with a CVSS v3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

Immediate

Recommended defensive actions

• Upgrade Firefox to 149.0.2 or later.
• Upgrade Thunderbird to 149.0.2 or later.
• Prioritize patch deployment for internet-facing or high-use endpoints first.
• Verify that managed software inventories no longer include version 149.0.1.
• Monitor Mozilla security advisories and vendor release notes for any follow-up guidance.

Evidence notes

This debrief is based on the supplied CVE description and NVD metadata only. The source corpus states that Mozilla fixed the issue in Firefox and Thunderbird 149.0.2 and that some bugs showed evidence of memory corruption. NVD references Mozilla advisories and an issue-tracking link, but the full advisory text was not included in the corpus.

Official resources