Cyber Posture

CVE-2026-6773

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0005 16.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6773 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and patching of system flaws, directly mitigating this integer overflow vulnerability fixed in Firefox 150 and Thunderbird 150.

RA-5 Vulnerability Monitoring and Scanning good match
detect

RA-5 mandates vulnerability scanning that would identify outdated Firefox/Thunderbird versions vulnerable to this WebGPU integer overflow.

SC-5 Denial-of-service Protection partial match
prevent

SC-5 provides denial-of-service protections that limit the impact of resource exhaustion and crashes from this remote unauthenticated integer overflow exploit.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

The integer overflow in the browser's WebGPU component enables remote unauthenticated exploitation causing application crashes and resource exhaustion, directly mapping to Endpoint Denial of Service via application or system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

Deeper analysisAI

CVE-2026-6773 is a denial-of-service vulnerability stemming from an integer overflow (CWE-190) in the Graphics: WebGPU component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with no effects on confidentiality or integrity.

Remote, unauthenticated attackers can exploit the vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation leads to denial of service, potentially causing browser or application crashes and resource exhaustion on affected systems.

Mozilla addressed the issue in Firefox 150 and Thunderbird 150. Additional details on patches and mitigations are available in Mozilla Security Advisories MFSA2026-30 and MFSA2026-33, along with Bugzilla entry 2015959.

Details

CWE(s)
CWE-190

Affected Products

mozilla
firefox
≤ 150.0
mozilla
thunderbird
≤ 150.0

CVEs Like This One

CVE-2026-4694Same product: Mozilla Firefox
CVE-2026-6746Same product: Mozilla Firefox
CVE-2026-6754Same product: Mozilla Firefox
CVE-2026-0889Same product: Mozilla Firefox
CVE-2026-6777Same product: Mozilla Firefox
CVE-2026-6755Same product: Mozilla Firefox
CVE-2026-2762Same product: Mozilla Firefox
CVE-2026-4727Same product: Mozilla Firefox
CVE-2026-6783Same product: Mozilla Firefox
CVE-2026-2801Same product: Mozilla Firefox

References