CRITICAL🇵🇱 Wersja polska

CVE-2026-6748

CVSS 9.8v3.1pub. 2026-04-21upd. 2026-06-30

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

🤖 AI Analysis
How it works

The vulnerability results from the use of uninitialized memory in the module handling audio and video codecs (Web Codecs). When a browser or email client processes appropriately crafted multimedia data, it may read or write data from uninitialized memory areas. Such a state can be exploited by an attacker to control the program execution flow, which may consequently lead to arbitrary code execution on the victim's side.

Impact

An attacker can gain full control over the vulnerable application, including reading sensitive data from process memory, modifying data, and executing arbitrary code with the privileges of the attacked process. The network vector without required privileges and without user interaction (AV:N/AC:L/PR:N/UI:N) makes it possible for an exploit to be carried out remotely through a simple visit to a malicious website or opening a crafted message.

Mitigation & patch

Mozilla Firefox should be immediately updated to version 150 or Firefox ESR to version 140.10, and Mozilla Thunderbird to version 150 or Thunderbird ESR to version 140.10. Updates are available directly from the manufacturer according to the references: https://www.mozilla.org/security/advisories/mfsa2026-30/ and related security advisories.

Who is affected

Mozilla Firefox in versions prior to 150 and Firefox ESR in versions prior to 140.10, as well as Mozilla Thunderbird in versions prior to 150 and Thunderbird ESR in versions prior to 140.10.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.10.0< 150.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.10.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...