CVE-2026-6775
Published: 21 April 2026
Summary
CVE-2026-6775 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-6775 is a vulnerability involving incorrect boundary conditions in the WebRTC component, classified under CWE-119. It affects Mozilla Firefox and Thunderbird versions prior to 150, where the issue allows for improper handling of data boundaries. The vulnerability carries a CVSS v3.1 base score of 5.3, reflecting medium severity with network accessibility, low attack complexity, no required privileges or user interaction, unchanged scope, and low impact on confidentiality.
Remote, unauthenticated attackers can exploit this vulnerability over the network without user interaction. Successful exploitation enables limited disclosure of sensitive information, such as partial access to confidential data processed by the WebRTC component, though it does not impact integrity or availability.
Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry detail the fix implemented in Firefox 150 and Thunderbird 150. Security practitioners should prioritize updating affected instances to these versions to mitigate the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24116
Vulnerability details
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of vulnerable WebRTC component in browser for partial info disclosure directly matches T1190; client-side nature and lack of code exec limit additional mappings.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely application of patches to remediate the WebRTC boundary flaw fixed in Firefox/Thunderbird 150.
Implements memory protection mechanisms that can block exploitation of the CWE-119 boundary condition error leading to information disclosure.
Enables discovery of unpatched Firefox/Thunderbird instances vulnerable to the WebRTC flaw before exploitation occurs.