Cyber Resilience

CVE-2026-6750

HighUpdated

Published: 21 April 2026

Published
21 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0048 38.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6750 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-6750 is a privilege escalation vulnerability (CWE-269: Improper Privilege Management) in the Graphics: WebRender component of Mozilla products. It affects Firefox versions prior to 150, Firefox ESR prior to 115.35 and 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The vulnerability was published on 2026-04-21 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Remote attackers require no privileges but must trick users into some interaction, such as visiting a malicious site or processing crafted content. Low attack complexity enables exploitation over the network, potentially granting elevated privileges within the affected browser or application, resulting in high impacts to confidentiality, integrity, and availability.

Mozilla Security Advisories (MFSA 2026-30, 2026-31, 2026-32, and 2026-33) and Bugzilla entry 2023407 detail the fix applied in the listed versions. Security practitioners should prioritize updating affected Firefox and Thunderbird installations to mitigate this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Privilege escalation in the Graphics: WebRender component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Client-side privilege escalation vulnerability in browser rendering component directly enables exploitation for privilege escalation (T1068) and client execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6761Same product: Mozilla Firefox
CVE-2026-6769Same product: Mozilla Firefox
CVE-2026-8970Same product: Mozilla Firefox
CVE-2026-8952Same product: Mozilla Firefox
CVE-2026-8972Same product: Mozilla Firefox
CVE-2026-0881Same product: Mozilla Firefox
CVE-2026-8957Same product: Mozilla Firefox
CVE-2026-2768Same product: Mozilla Firefox
CVE-2026-2776Same product: Mozilla Firefox
CVE-2026-8955Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 115.35.0 · ≤ 150.0 · 140.0 — 140.10.0
mozilla
thunderbird
≤ 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the privilege escalation vulnerability by requiring timely remediation through patching affected Firefox and Thunderbird versions to the fixed releases.

prevent

Addresses the core CWE-269 improper privilege management by enforcing least privilege for processes in the WebRender component, preventing unauthorized elevation.

prevent

Process isolation in browser architectures confines WebRender to sandboxed processes, blocking privilege escalation from maliciously crafted graphics content.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248551 A sticky bit must be set on all OL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Oracle Linux 9 (1 rule)
  • V-271779 OL 9 must be configured so that a sticky bit must be set on all public directories. via CWE-266
RHEL 8 (1 rule)
  • V-230243 A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
RHEL 9 (1 rule)
  • V-257929 A sticky bit must be set on all RHEL 9 public directories. via CWE-266
Ubuntu 22.04 (2 rules)
  • V-260559 Ubuntu 22.04 LTS must ensure only users who need access to security functions are part of sudo group. via CWE-266
  • V-260513 Ubuntu 22.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Ubuntu 24.04 (2 rules)
  • V-270748 Ubuntu 24.04 LTS must ensure only users who need access to security functions are part of sudo group. via CWE-266
  • V-270750 Ubuntu 24.04 LTS must set a sticky bit on all public directories to prevent unauthorized and unintended information transferred via shared system resources. via CWE-266
Windows 10 (1 rule)
  • V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows 11 (1 rule)
  • V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows Server 2016 (1 rule)
  • V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
Windows Server 2019 (1 rule)
  • V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
Windows Server 2022 (1 rule)
  • V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269

References