What is CVE-2026-5731?

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and w...

How severe is CVE-2026-5731?

CVE-2026-5731 is rated critical severity with a CVSS score of 9.8 out of 10.

What products are affected by CVE-2026-5731?

CVE-2026-5731 affects multiple products. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-5731?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Firefox & Thunderbird Critical RCE (CVE-2026-5731)

Overview

CVE-2026-5731 is a critical memory safety vulnerability affecting multiple versions of Mozilla Firefox and Thunderbird. The flaw stems from memory corruption bugs that could be exploited to run arbitrary code on a victim’s system.

Affected Products

The vulnerability impacts a wide range of versions. You are affected if you are running:

Firefox versions prior to 149.0.2
Firefox ESR versions prior to 115.34.1
Firefox ESR versions prior to 140.9.1
Thunderbird versions prior to 149.0.2
Thunderbird ESR versions prior to 140.9.1

Technical Impact

This is a network-based attack with a CVSS score of 9.8 (Critical). An attacker could exploit these memory corruption flaws without any user interaction-such as clicking a link-and without needing any special privileges. Successful exploitation could allow an attacker to execute arbitrary code on the target system, potentially leading to a complete compromise. This could result in data theft, installation of malware, or use of the system for further attacks.

Remediation

Immediate patching is the only complete mitigation.

Update Your Software: All users must update to the latest patched versions.
- Update Firefox to version 149.0.2 or later.
- Update Firefox ESR to version 115.34.1, 140.9.1, or later.
- Update Thunderbird to version 149.0.2 or later.
- Update Thunderbird ESR to version 140.9.1 or later.
Enable Automatic Updates: Ensure automatic updates are enabled in your browser and email client settings to receive future security fixes promptly.
Verify Version: Confirm the update was successful by checking “About Firefox” or “About Thunderbird” in the application’s menu. The version number should match or exceed those listed above.

For organizations managing deployments, expedite the rollout of these updated packages. There are no known effective workarounds for this vulnerability, making the update imperative.

Security Insight

This advisory highlights the persistent threat of memory corruption in complex, widely-used software like browsers. The high CVSS score, driven by the “no interaction required” vector, underscores a shift towards more dangerous exploit patterns that bypass user awareness as a defense. For ongoing analysis of such threats, monitor our security news feed.

Firefox & Thunderbird Critical RCE (CVE-2026-5731)

Overview

Affected Products

Technical Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Overview

Affected Products

Technical Impact

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Never Miss a Critical Alert