PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-6786 Mozilla CVE debrief

CVE-2026-6786 is a memory safety vulnerability affecting Mozilla Firefox and Thunderbird. The issue encompasses multiple memory safety bugs present in Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, and Thunderbird 149. Mozilla's advisory indicates that some of these bugs demonstrated evidence of memory corruption, and with sufficient effort, exploitation for arbitrary code execution is presumed possible. The vulnerability was disclosed on April 26, 2026, with subsequent modification on May 26, 2026. Mozilla has addressed this issue through security updates released on April 29, 2026. The CVSS 3.1 score of 7.5 (HIGH) reflects the potential for confidentiality, integrity, and availability impacts, though the attack complexity is rated as HIGH and requires user interaction. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-26
Original CVE updated
2026-05-26
Advisory published
2026-04-26
Advisory updated
2026-05-26

Who should care

Organizations and individuals using Mozilla Firefox or Thunderbird for web browsing, email, or calendaring operations. Priority should be given to environments where these applications handle sensitive data or operate with elevated privileges. Security teams should prioritize patching due to the potential for arbitrary code execution, though the HIGH attack complexity and requirement for user interaction may allow for staged deployment in controlled environments.

Technical summary

Multiple memory safety bugs in Mozilla Firefox and Thunderbird versions prior to 150.0 and ESR versions prior to 140.10.0. The vulnerabilities include out-of-bounds read (CWE-125), use-after-free (CWE-416), and out-of-bounds write (CWE-787) conditions. Exploitation requires network access and user interaction, with high attack complexity. Successful exploitation could result in arbitrary code execution with the privileges of the user running the affected application. The fix addresses numerous underlying memory corruption issues tracked across multiple Mozilla Bugzilla entries.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Firefox to version 150.0 or later
  • Upgrade Firefox ESR to version 140.10.0 or later
  • Upgrade Thunderbird to version 150.0 or later
  • Upgrade Thunderbird ESR to version 140.10.0 or later
  • Review and apply Mozilla security advisories MFSA2026-30, MFSA2026-32, MFSA2026-33, and MFSA2026-34
  • Monitor for additional Mozilla security updates addressing related memory safety issues
  • Consider implementing application control policies to restrict execution of unpatched browser versions

Evidence notes

CVE published 2026-04-26; modified 2026-05-26. Mozilla security advisories MFSA2026-30, MFSA2026-32, MFSA2026-33, MFSA2026-34 released 2026-04-29. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. CWE-125 (Out-of-bounds Read), CWE-416 (Use After Free), CWE-787 (Out-of-bounds Write) identified. Not in KEV catalog as of disclosure.

Official resources

2026-04-26