CVE-2026-6785 – Mozilla Firefox and Thunderbird Memory Safety Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Patched

A vulnerability has been identified in Mozilla Firefox and Thunderbird that arises from memory safety issues. This vulnerability is present in multiple versions, including Firefox ESR 115.34, Firefox ESR 140.9, Thunderbird ESR 140.9, Firefox 149, and Thunderbird 149. Some of these memory safety bugs showed signs of memory corruption, leading to the presumption that, with sufficient effort, they could be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution.

Remediation

Users can upgrade to Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10 to address this vulnerability.

Added: Apr 26, 2026, 7:57 PM

Updated: Apr 26, 2026, 7:57 PM

Affected Products

Mozilla Firefox

Moderate fix1 remedy

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*

Moderate fix1 remedy

149

Mozilla Firefox ESR

Moderate fix2 remedies

cpe:2.3:a:mozilla:firefox_esr:*:*:*:*:*:*:*

Moderate fix2 remedies

115.34
140.9

Mozilla Thunderbird

Moderate fix1 remedy

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*

Moderate fix1 remedy

149

CVSS Scores

volerion

7.5

CVSS 4.0

7.5

High

volerion

7.5

CVSS 3.1

7.5

High

CISA-ADP

7.5

CVSS 3.1

7.5

High

Click a row to open the calculator.

References

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1935995%2C1999158%2C2015952%2C2021909%2C2022026%2C2022041%2C2022088%2C2022276%2C2022335%2C2022338%2C2022373%2C2022597%2C2022874%2C2023276%2C2023544%2C2023551%2C2023599%2C2023608%2C2023814%2C2024233%2C2024239%2C2024241%2C2024242%2C2024250%2C2024251%2C2024343%2C2024422%2C2024425%2C2024440%2C2024442%2C2024446%2C2024458%2C2024463%2C2024478%2C2024650%2C2024653%2C2024654%2C2024655%2C2024656%2C2024661%2C2024662%2C2024668%2C2024919%2C2025278%2C2025349%2C2025350%2C2025354%2C2025360%2C2025363%2C2025370%2C2025379%2C2025381%2C2025399%2C2025400%2C2025403%2C2025407%2C2025415%2C2025420%2C2025427%2C2025429%2C2025430%2C2025479%2C2025489%2C2025493%2C2025497%2C2025502%2C2025515%2C2025517%2C2025526%2C2025609%2C2025948%2C2025949%2C2025951%2C2025953%2C2025955%2C2025962%2C2025969%2C2025970%2C2025971%2C2025973%2C2025976%2C2025977%2C2026280%2C2026285%2C2026293%2C2026296%2C2026310%2C2027237%2C2027260%2C2027268%2C2027277%2C2027284%2C2027291%2C2027293%2C2027298%2C2027330%2C2027342%2C2027345%2C2027359%2C2027365%2C2027378%2C2027754%2C2027959%2C2027962%2C2027964%2C2027971%2C2027974%2C2027979%2C2027982%2C2027995%2C2028001%2C2028267%2C2028268%2C2028275%2C2028288%2C2028290%2C2028291%2C2028528%2C2028551%2C2028627%2C2028879%2C2028889%2C2029061%2C2029071%2C2029283%2C2029296%2C2029314%2C2029323%2C2029411%2C2029423%2C2029424%2C2029425%2C2029427%2C2029436%2C2029440%2C2029449%2C2029450%2C2029458%2C2029462%2C2029468%2C2029472%2C2029690%2C2029707%2C2029708%2C2029728%2C2029802%2C2029896%2C2029906%2C2030106%2C2030118%2C2030123%2C2030135%2C2030230%2C2030320

Issue TrackingNot ApplicableVendor

https://www.mozilla.org/security/advisories/mfsa2026-30/

AdvisoryBundleVendor

https://www.mozilla.org/security/advisories/mfsa2026-31/

AdvisoryBundleRemedyVendor

https://www.mozilla.org/security/advisories/mfsa2026-32/

AdvisoryBundleRemedyVendor

Showing 1-4 of 6 references

Mozilla Firefox and Thunderbird Memory Safety Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Remediation

Affected Products

Mozilla Firefox

Mozilla Firefox ESR

Mozilla Thunderbird

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating