PatchSiren cyber security CVE debrief
CVE-2026-6749 Mozilla CVE debrief
CVE-2026-6749 is a high-severity information disclosure vulnerability in the Firefox browser, caused by uninitialized memory in the Graphics: Canvas2D component. The vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The CVSS score for this vulnerability is 7.5, indicating a high severity. The vulnerability was publicly disclosed on April 21, 2026, and the CVE record was last modified on June 30, 2026.
- Vendor
- Mozilla
- Product
- Firefox
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-21
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-21
- Advisory updated
- 2026-06-30
Who should care
This vulnerability affects users of Firefox, Firefox ESR, and Thunderbird. Users of these products should update to the latest versions to prevent potential information disclosure. Additionally, defenders and security teams should prioritize patching this vulnerability to prevent potential exploitation.
Technical summary
The vulnerability is caused by uninitialized memory in the Graphics: Canvas2D component of Firefox. This allows an attacker to potentially disclose sensitive information. The vulnerability has a CVSS score of 7.5, indicating a high severity. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The weakness associated with this vulnerability is CWE-908 and CWE-824.
Defensive priority
High priority should be given to patching this vulnerability, as it is a high-severity information disclosure vulnerability. Defenders should prioritize patching Firefox, Firefox ESR, and Thunderbird to prevent potential exploitation.
Recommended defensive actions
- Update Firefox to version 150 or later
- Update Firefox ESR to version 115.35 or later
- Update Firefox ESR to version 140.10 or later
- Update Thunderbird to version 150 or later
- Update Thunderbird to version 140.10 or later
Evidence notes
The CVE record for CVE-2026-6749 was obtained from the official CVE website. The vulnerability details were obtained from the NVD database and the Mozilla security advisories. The CVSS score and vector were obtained from the NVD database.
Official resources
-
CVE-2026-6749 CVE record
CVE.org
-
CVE-2026-6749 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Permissions Required
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance and is based on the supplied source corpus.