Cyber Resilience

CVE-2026-6764

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0023 13.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6764 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-6764 is a vulnerability involving incorrect boundary conditions in the DOM: Device Interfaces component, classified under CWE-119. It affects Mozilla Firefox, Firefox ESR, and Thunderbird. The issue was addressed in Firefox version 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. The vulnerability received a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), indicating medium severity with network accessibility, low attack complexity, no privileges or user interaction required, and impacts limited to low integrity and availability without confidentiality loss or scope change.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction. Successful exploitation allows limited disruption, such as minor integrity violations (e.g., data modification) or availability issues (e.g., denial of service), but does not enable data exfiltration or broader system compromise.

Mozilla's security advisories (MFSA2026-30 through MFSA2026-34) and the associated Bugzilla entry (bug 2022162) detail the fix applied in the specified versions. Security practitioners should ensure affected products are updated to these patched releases to mitigate the risk.

EU & UK References

Vulnerability details

Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
Why these techniques?

Browser memory boundary flaw (CWE-119) with network trigger and low-integrity/availability impact directly supports application exploitation for DoS (T1499.004) and enables drive-by delivery via malicious web content (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-8044Same product: Mozilla Firefox
CVE-2026-2788Same product: Mozilla Firefox
CVE-2026-2773Same product: Mozilla Firefox
CVE-2026-0879Same product: Mozilla Firefox
CVE-2025-8040Same product: Mozilla Firefox
CVE-2026-2778Same product: Mozilla Firefox
CVE-2025-8034Same product: Mozilla Firefox
CVE-2025-11721Same product: Mozilla Firefox
CVE-2026-6767Same product: Mozilla Firefox
CVE-2025-4093Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
140.0 — 140.10.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of security-relevant patches to remediate known flaws such as the boundary-condition error fixed in Firefox/Thunderbird 150 and ESR 140.10.

detect

Requires continuous vulnerability scanning to discover affected browser/Thunderbird instances still running versions prior to the 150/140.10 fixes.

prevent

Enforces configuration settings that mandate approved, patched versions of Firefox/Thunderbird, preventing execution of the vulnerable DOM Device Interfaces code.

References