PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6746 Mozilla CVE debrief

CVE-2026-6746 is a high-severity use-after-free vulnerability in the DOM: Core & HTML component of Firefox. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The vulnerability has a CVSS score of 7.5 and is considered HIGH severity. The CVE was published on April 21, 2026, and last modified on June 30, 2026.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-06-30
Advisory published
2026-04-21
Advisory updated
2026-06-30

Who should care

Organizations and individuals using Firefox, Firefox ESR, Thunderbird, or other affected products should prioritize patching this vulnerability. The vulnerability's high severity and potential for exploitation make it a critical concern for defenders. Mozilla has provided advisories and patches for affected products.

Technical summary

The CVE-2026-6746 vulnerability is a use-after-free issue in the DOM: Core & HTML component of Firefox. This type of vulnerability occurs when a program attempts to access memory after it has been freed, potentially leading to crashes or code execution. The vulnerability has been fixed in multiple Firefox and Thunderbird versions. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity level.

Defensive priority

Defenders should prioritize patching CVE-2026-6746 due to its high severity and potential for exploitation. Ensure that Firefox, Firefox ESR, and Thunderbird are updated to the latest patched versions.

Recommended defensive actions

  • Apply patches for Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
  • Ensure all affected products are inventoried and updated.
  • Monitor for potential exploitation attempts.
  • Implement compensating controls, such as enhanced monitoring and incident response planning.
  • Review and update vulnerability management processes to prevent similar issues.

Evidence notes

The CVE-2026-6746 vulnerability has been documented by Mozilla and NVD. Multiple references, including Bugzilla and Red Hat advisories, provide additional context and mitigation guidance. The CVE has been published and modified according to the provided timeline.

Official resources

This article is AI-assisted and based on the supplied source corpus.