PatchSiren cyber security CVE debrief
CVE-2026-6746 Mozilla CVE debrief
CVE-2026-6746 is a high-severity use-after-free vulnerability in the DOM: Core & HTML component of Firefox. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The CVE was published on April 21, 2026, and last modified on June 30, 2026.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-06-30
Who should care
Organizations and individuals using Firefox, Firefox ESR, Thunderbird, or other affected products should prioritize patching this vulnerability. The vulnerability's high severity and potential for exploitation make it a critical concern for defenders. Mozilla has provided advisories and patches for affected products.
Technical summary
The CVE-2026-6746 vulnerability is a use-after-free issue in the DOM: Core & HTML component of Firefox. This type of vulnerability occurs when a program attempts to access memory after it has been freed, potentially leading to crashes or code execution. The vulnerability has been fixed in multiple Firefox and Thunderbird versions. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity level.
Defensive priority
Defenders should prioritize patching CVE-2026-6746 due to its high severity and potential for exploitation. Ensure that Firefox, Firefox ESR, and Thunderbird are updated to the latest patched versions.
Recommended defensive actions
- Apply patches for Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- Ensure all affected products are inventoried and updated.
- Monitor for potential exploitation attempts.
- Implement compensating controls, such as enhanced monitoring and incident response planning.
- Review and update vulnerability management processes to prevent similar issues.
Evidence notes
The CVE-2026-6746 vulnerability has been documented by Mozilla and NVD. Multiple references, including Bugzilla and Red Hat advisories, provide additional context and mitigation guidance. The CVE has been published and modified according to the provided timeline.
Official resources
-
CVE-2026-6746 CVE record
CVE.org
-
CVE-2026-6746 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.