PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6749 Mozilla CVE debrief

CVE-2026-6749 is a high-severity information disclosure vulnerability in the Firefox browser, caused by uninitialized memory in the Graphics: Canvas2D component. The vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability was publicly disclosed on April 21, 2026, and the CVE record was last modified on June 30, 2026.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-21
Original CVE updated
2026-06-30
Advisory published
2026-04-21
Advisory updated
2026-06-30

Who should care

This vulnerability affects users of Firefox, Firefox ESR, and Thunderbird. Users of these products should update to the latest versions to prevent potential information disclosure. Additionally, defenders and security teams should prioritize patching this vulnerability to prevent potential exploitation.

Technical summary

The vulnerability is caused by uninitialized memory in the Graphics: Canvas2D component of Firefox. This allows an attacker to potentially disclose sensitive information. The vulnerability has a CVSS score of 7.5, indicating a high severity. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The weakness associated with this vulnerability is CWE-908 and CWE-824.

Defensive priority

High priority should be given to patching this vulnerability, as it is a high-severity information disclosure vulnerability. Defenders should prioritize patching Firefox, Firefox ESR, and Thunderbird to prevent potential exploitation.

Recommended defensive actions

  • Update Firefox to version 150 or later
  • Update Firefox ESR to version 115.35 or later
  • Update Firefox ESR to version 140.10 or later
  • Update Thunderbird to version 150 or later
  • Update Thunderbird to version 140.10 or later

Evidence notes

The CVE record for CVE-2026-6749 was obtained from the official CVE website. The vulnerability details were obtained from the NVD database and the Mozilla security advisories. The CVSS score and vector were obtained from the NVD database.

Official resources

This article was generated with AI assistance and is based on the supplied source corpus.