Firefox memory corruption could run code (CVE-2026-6786)

Vendor-confirmed - CVE-2026-6786 is a high memory corruption vulnerability in Firefox ESR 140.9 and Thunderbird ESR 140.9, plus Firefox 149 and Thunderbird 149, that could allow an attacker to run arbitrary code on a victim’s system. Patched in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10 - update now.

Overview

Mozilla has confirmed a set of memory safety bugs tracked as CVE-2026-6786 that affect multiple products and versions. The underlying flaws involve memory corruption, meaning an attacker could craft a malicious webpage or email (in Thunderbird) to corrupt browser memory and eventually execute arbitrary code or crash the application.

The vulnerability affects users running:

• Firefox ESR 140.9 and earlier
• Thunderbird ESR 140.9 and earlier
• Firefox 149 and earlier
• Thunderbird 149 and earlier

The CVSS score of 8.1 (HIGH) reflects that the attack is network-based and requires no user interaction or privileges, though the attack complexity is high, meaning exploitation is not trivial. No active exploitation has been confirmed in the wild, and the EPSS score of 0.0% indicates a very low probability of exploitation in the next 30 days. However, the historical precedent of similar memory corruption bugs being weaponized means organizations should treat this with appropriate urgency.

Impact

If successfully exploited, CVE-2026-6786 would allow an attacker to run arbitrary code in the context of the affected application. On Firefox, this means an attacker could install software, modify data, or create new accounts with user-level privileges. On Thunderbird, the same risk applies when viewing specially crafted email content. A crash or denial of service is also possible in less sophisticated attempts.

Remediation and Mitigation

Mozilla has released fixes in the following versions:

Product	Fixed Version
Firefox	150
Firefox ESR	140.10
Thunderbird	150
Thunderbird ESR	140.10

Action items:

1. Update all affected Mozilla products to the patched versions immediately.
2. For organizations using managed browsers or email clients, push updates via enterprise deployment tools (e.g., Group Policy, MDM).
3. If immediate patching is not possible, consider restricting access to untrusted web content and disabling HTML email rendering in Thunderbird as a temporary workaround.

Security Insight

This marks another instance of memory corruption bugs in Mozilla’s browser and email client ecosystem. While the vendor has a strong record of patching such issues, the recurrence of memory safety bugs in core rendering components highlights the ongoing challenge of migrating legacy C++ code to memory-safe languages. Mozilla continues to adopt Rust in new components, but the attack surface in older code remains. This vulnerability is a reminder that even without active exploitation, memory corruption bugs in widely deployed client applications represent a significant risk that demands prompt attention.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs