CVE-2026-5735
Published: 07 April 2026
Summary
CVE-2026-5735 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely identification, patching, and remediation of the memory safety bugs in Firefox 149.0.1 and Thunderbird 149.0.1 to prevent arbitrary code execution.
Implements memory safeguards such as ASLR and DEP to protect against exploitation of memory corruption from out-of-bounds writes in the affected browser and email client.
Enables vulnerability scanning to identify deployments of vulnerable Firefox 149.0.1 and Thunderbird 149.0.1 affected by CVE-2026-5735 for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory corruption vulnerability in client applications (Firefox browser and Thunderbird email client) enabling remote arbitrary code execution with no user interaction directly maps to Exploitation for Client Execution.
NVD Description
Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was…
more
fixed in Firefox 149.0.2 and Thunderbird 149.0.2.
Deeper analysisAI
CVE-2026-5735 involves memory safety bugs, classified under CWE-787 (Out-of-bounds Write), affecting Firefox version 149.0.1 and Thunderbird version 149.0.1. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 9.8, indicating critical severity due to its high impact on confidentiality, integrity, and availability.
The attack scenario is highly accessible, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H): it can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation would allow attackers to compromise the affected browser or email client, potentially leading to full system control through arbitrary code execution.
Mozilla's security advisories (MFSA 2026-25 and MFSA 2026-28) and related Bugzilla entries (bugs 2025475 and 2025477) confirm that the vulnerability was addressed in Firefox 149.0.2 and Thunderbird 149.0.2. Security practitioners should prioritize updating to these patched versions to mitigate the risk.
Details
- CWE(s)