Cyber Resilience

CVE-2026-6751

HighUpdated

Published: 21 April 2026

Published
21 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0031 22.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6751 is a high-severity Use of Uninitialized Variable (CWE-457) vulnerability in Mozilla Firefox. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6751 is an uninitialized memory vulnerability (CWE-457) in the Audio/Video: Web Codecs component of Mozilla Firefox and Thunderbird products. It affects versions prior to Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The issue was publicly disclosed on 2026-04-21 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.

Remote attackers can exploit this vulnerability without authentication or user interaction by targeting the Web Codecs API, potentially leading to limited disclosure of sensitive information, minor integrity modifications, or partial denial of service through memory corruption. The unchanged scope suggests impacts remain within the affected browser process.

Mozilla's security advisories (MFSA 2026-30 through 2026-34) and the associated Bugzilla entry detail the fix applied in the specified versions, recommending immediate upgrades to patched releases for mitigation. No workarounds are mentioned in the provided references.

EU & UK References

Vulnerability details

Uninitialized memory in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Client-side memory corruption in browser Web Codecs API enables remote exploitation via web content for drive-by compromise (T1189) and client application execution (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-8027Same product: Mozilla Firefox
CVE-2025-9181Same product: Mozilla Firefox
CVE-2026-2805Same product: Mozilla Firefox
CVE-2026-2785Same product: Mozilla Firefox
CVE-2026-6748Same product: Mozilla Firefox
CVE-2026-6757Same product: Mozilla Firefox
CVE-2026-2790Same product: Mozilla Firefox
CVE-2025-1011Same product: Mozilla Firefox
CVE-2026-2795Same product: Mozilla Firefox
CVE-2026-2775Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
140.0 — 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and correction of flaws like the uninitialized memory in Web Codecs directly prevents exploitation of CVE-2026-6751 through patching to fixed versions.

prevent

Memory protection mechanisms such as ASLR, DEP, and stack canaries comprehensively mitigate exploitation of uninitialized memory vulnerabilities like CVE-2026-6751 by disrupting reliable memory corruption attacks.

detect

Vulnerability monitoring and scanning detects deployed systems vulnerable to CVE-2026-6751, enabling proactive remediation before exploitation.

References