Cyber Resilience

CVE-2026-6773

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0032 24.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6773 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6773 is a denial-of-service vulnerability stemming from an integer overflow (CWE-190) in the Graphics: WebGPU component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with no effects on confidentiality or integrity.

Remote, unauthenticated attackers can exploit the vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation leads to denial of service, potentially causing browser or application crashes and resource exhaustion on affected systems.

Mozilla addressed the issue in Firefox 150 and Thunderbird 150. Additional details on patches and mitigations are available in Mozilla Security Advisories MFSA2026-30 and MFSA2026-33, along with Bugzilla entry 2015959.

EU & UK References

Vulnerability details

Denial-of-service due to integer overflow in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The integer overflow in the browser's WebGPU component enables remote unauthenticated exploitation causing application crashes and resource exhaustion, directly mapping to Endpoint Denial of Service via application or system exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4694Same product: Mozilla Firefox
CVE-2026-6754Same product: Mozilla Firefox
CVE-2026-6755Same product: Mozilla Firefox
CVE-2025-9182Same product: Mozilla Firefox
CVE-2026-6758Same product: Mozilla Firefox
CVE-2026-6783Same product: Mozilla Firefox
CVE-2026-6746Same product: Mozilla Firefox
CVE-2026-2801Same product: Mozilla Firefox
CVE-2025-10533Same product: Mozilla Firefox
CVE-2026-6781Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 150.0
mozilla
thunderbird
≤ 150.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and patching of system flaws, directly mitigating this integer overflow vulnerability fixed in Firefox 150 and Thunderbird 150.

detect

RA-5 mandates vulnerability scanning that would identify outdated Firefox/Thunderbird versions vulnerable to this WebGPU integer overflow.

prevent

SC-5 provides denial-of-service protections that limit the impact of resource exhaustion and crashes from this remote unauthenticated integer overflow exploit.

References