CVE-2026-6756

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0004 12.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6756 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-10 (Software Usage Restrictions).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of the mitigation bypass vulnerability in Firefox for Android by applying the patch in version 150.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables vulnerability scanning to identify and prioritize systems running vulnerable versions of Firefox for Android affected by CVE-2026-6756.

CM-10 Software Usage Restrictions partial match

prevent

Restricts execution to authorized, patched versions of Firefox for Android, preventing use of instances vulnerable to CVE-2026-6756.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Remote no-interaction client-side browser mitigation bypass with high integrity impact directly enables exploitation for client execution in a browser application.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.

Deeper analysisAI

CVE-2026-6756 is a mitigation bypass vulnerability (CWE-200) in Firefox for Android, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). Published on 2026-04-21, it allows attackers to circumvent security mitigations implemented in the browser.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation results in high integrity impact, enabling modification of data or behavior without affecting confidentiality or availability.

Mozilla addressed this issue in Firefox 150, as detailed in their security advisory (MFSA 2026-30) and Bugzilla entry 1992585. Security practitioners should ensure Firefox for Android instances are updated to version 150 or later to mitigate the risk.

Details

CWE(s): CWE-200

Affected Products

mozilla

firefox

≤ 150.0

CVEs Like This One

CVE-2026-5732Same product: Mozilla Firefox

CVE-2026-4705Same product: Mozilla Firefox

CVE-2026-4712Same product: Mozilla Firefox

CVE-2026-4691Same product: Mozilla Firefox

CVE-2026-4700Same product: Mozilla Firefox

CVE-2026-4711Same product: Mozilla Firefox

CVE-2026-3847Same product: Mozilla Firefox

CVE-2026-3845Same product: Mozilla Firefox

CVE-2026-8390Same product: Mozilla Firefox

CVE-2026-5733Same product: Mozilla Firefox

References

https://bugzilla.mozilla.org/show_bug.cgi?id=1992585
Permissions Required · security@mozilla.org
https://www.mozilla.org/security/advisories/mfsa2026-30/
Vendor Advisory · security@mozilla.org