CVE-2026-6761
Published: 21 April 2026
Summary
CVE-2026-6761 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6761 is a privilege escalation vulnerability in the Networking component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 150, Firefox ESR prior to 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The issue is classified under CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.
A remote attacker can exploit this vulnerability with low complexity and no required privileges, but it necessitates user interaction, such as clicking a malicious link or opening a crafted resource. Successful exploitation enables privilege escalation within the affected browser or mail client, potentially allowing the attacker to gain high-level access to the user's system resources, execute arbitrary code, or compromise sensitive data.
Mozilla's security advisories (MFSA 2026-30, 32, 33, and 34) and the associated Bugzilla entry (bug 2017857) detail the patch releases that address the vulnerability. Security practitioners should prioritize updating to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10, as these versions include the necessary fixes to mitigate the privilege escalation risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24102
Vulnerability details
Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes a client-side privilege escalation vulnerability in browser/mail client (Firefox/Thunderbird) exploitable via malicious link/resource, directly mapping to T1068 (Exploitation for Privilege Escalation) and T1203 (Exploitation for Client Execution).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of flaws such as CVE-2026-6761 through patching to eliminate the privilege escalation vulnerability.
Enforces least privilege on system components like the browser's networking process to directly counter improper privilege management and limit escalation impact.
Mandates enforcement of access control policies to prevent unauthorized privilege escalations triggered by exploitation of the networking component vulnerability.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Windows 10 (1 rule)
- V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows 11 (1 rule)
- V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows Server 2016 (1 rule)
- V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
Windows Server 2019 (1 rule)
- V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
Windows Server 2022 (1 rule)
- V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269