Cyber Resilience

CVE-2026-6775

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0021 10.9th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6775 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-6775 is a vulnerability involving incorrect boundary conditions in the WebRTC component, classified under CWE-119. It affects Mozilla Firefox and Thunderbird versions prior to 150, where the issue allows for improper handling of data boundaries. The vulnerability carries a CVSS v3.1 base score of 5.3, reflecting medium severity with network accessibility, low attack complexity, no required privileges or user interaction, unchanged scope, and low impact on confidentiality.

Remote, unauthenticated attackers can exploit this vulnerability over the network without user interaction. Successful exploitation enables limited disclosure of sensitive information, such as partial access to confidential data processed by the WebRTC component, though it does not impact integrity or availability.

Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry detail the fix implemented in Firefox 150 and Thunderbird 150. Security practitioners should prioritize updating affected instances to these versions to mitigate the issue.

EU & UK References

Vulnerability details

Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote network exploitation of vulnerable WebRTC component in browser for partial info disclosure directly matches T1190; client-side nature and lack of code exec limit additional mappings.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-9403Same product: Mozilla Firefox
CVE-2025-8035Same product: Mozilla Firefox
CVE-2024-9396Same product: Mozilla Firefox
CVE-2024-9402Same product: Mozilla Firefox
CVE-2026-0892Same product: Mozilla Firefox
CVE-2025-9184Same product: Mozilla Firefox
CVE-2026-6767Same product: Mozilla Firefox
CVE-2025-5268Same product: Mozilla Firefox
CVE-2026-2773Same product: Mozilla Firefox
CVE-2025-9179Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 150.0
mozilla
thunderbird
≤ 150.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of patches to remediate the WebRTC boundary flaw fixed in Firefox/Thunderbird 150.

prevent

Implements memory protection mechanisms that can block exploitation of the CWE-119 boundary condition error leading to information disclosure.

detect

Enables discovery of unpatched Firefox/Thunderbird instances vulnerable to the WebRTC flaw before exploitation occurs.

References