Cyber Resilience

CVE-2026-6761

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0022 12.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6761 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Mozilla Firefox. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6761 is a privilege escalation vulnerability in the Networking component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 150, Firefox ESR prior to 140.10, Thunderbird prior to 150, and Thunderbird prior to 140.10. The issue is classified under CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

A remote attacker can exploit this vulnerability with low complexity and no required privileges, but it necessitates user interaction, such as clicking a malicious link or opening a crafted resource. Successful exploitation enables privilege escalation within the affected browser or mail client, potentially allowing the attacker to gain high-level access to the user's system resources, execute arbitrary code, or compromise sensitive data.

Mozilla's security advisories (MFSA 2026-30, 32, 33, and 34) and the associated Bugzilla entry (bug 2017857) detail the patch releases that address the vulnerability. Security practitioners should prioritize updating to Firefox 150, Firefox ESR 140.10, Thunderbird 150, or Thunderbird 140.10, as these versions include the necessary fixes to mitigate the privilege escalation risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Privilege escalation in the Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

CVE describes a client-side privilege escalation vulnerability in browser/mail client (Firefox/Thunderbird) exploitable via malicious link/resource, directly mapping to T1068 (Exploitation for Privilege Escalation) and T1203 (Exploitation for Client Execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-8955Same product: Mozilla Firefox
CVE-2026-8972Same product: Mozilla Firefox
CVE-2026-8952Same product: Mozilla Firefox
CVE-2026-2782Same product: Mozilla Firefox
CVE-2026-8957Same product: Mozilla Firefox
CVE-2026-6769Same product: Mozilla Firefox
CVE-2026-2780Same product: Mozilla Firefox
CVE-2026-8970Same product: Mozilla Firefox
CVE-2026-6750Same product: Mozilla Firefox
CVE-2026-2777Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
≤ 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of flaws such as CVE-2026-6761 through patching to eliminate the privilege escalation vulnerability.

prevent

Enforces least privilege on system components like the browser's networking process to directly counter improper privilege management and limit escalation impact.

prevent

Mandates enforcement of access control policies to prevent unauthorized privilege escalations triggered by exploitation of the networking component vulnerability.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Windows 10 (1 rule)
  • V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows 11 (1 rule)
  • V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows Server 2016 (1 rule)
  • V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
Windows Server 2019 (1 rule)
  • V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
Windows Server 2022 (1 rule)
  • V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269

References