Cyber Posture

CVE-2026-6776

High

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6776 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the vulnerability by requiring timely identification, testing, and deployment of patches for known flaws like the incorrect boundary conditions in WebRTC fixed in Firefox 150 and Thunderbird 150.

SI-16 Memory Protection partial match
prevent

Mitigates exploitation of CWE-119 buffer overflow vulnerabilities through memory protections such as non-executable memory regions and address space layout randomization in browser processes.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Enables detection of systems running vulnerable versions of Firefox, ESR, or Thunderbird affected by CVE-2026-6776 through periodic vulnerability scanning.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Memory corruption vulnerability (CWE-119) in client application (Firefox/Thunderbird WebRTC component) with local attack vector, no privileges required, and user interaction, directly enabling arbitrary code execution via client-side exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Deeper analysisAI

CVE-2026-6776 involves incorrect boundary conditions, classified under CWE-119, in the WebRTC Networking component. This vulnerability affects Mozilla products including Firefox, Firefox ESR, and Thunderbird. It was addressed in the following releases: Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Local attackers can exploit it with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation enables high-impact consequences, including unauthorized access to confidential data, modification of system integrity, and disruption of availability.

Mozilla security advisories MFSA2026-30, MFSA2026-32, MFSA2026-33, and MFSA2026-34, along with Bugzilla entry 2021770, provide details on the issue and recommend updating to the fixed versions for mitigation.

Details

CWE(s)
CWE-119

Affected Products

mozilla
firefox
≤ 140.10.0 · ≤ 150.0
mozilla
thunderbird
≤ 140.10.0

CVEs Like This One

CVE-2026-8093Same product: Mozilla Firefox
CVE-2025-9185Same product: Mozilla Firefox
CVE-2026-7324Same product: Mozilla Firefox
CVE-2026-5731Same product: Mozilla Firefox
CVE-2026-2779Same product: Mozilla Firefox
CVE-2026-0891Same product: Mozilla Firefox
CVE-2026-4710Same product: Mozilla Firefox
CVE-2026-0892Same product: Mozilla Firefox
CVE-2026-6752Same product: Mozilla Firefox
CVE-2025-9179Same product: Mozilla Firefox

References