Cyber Resilience

CVE-2026-6777

Medium

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0016 5.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6777 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-6777 is an unspecified vulnerability classified as "other issue" in the Networking: DNS component of Mozilla Firefox and Thunderbird. The flaw, associated with CWE-20 (Improper Input Validation), CWE-352 (Cross-Site Request Forgery), and CWE-400 (Uncontrolled Resource Consumption), carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with primary impact on availability.

Remote attackers can exploit this vulnerability over the network without authentication or user interaction, requiring low attack complexity. Successful exploitation results in a low-impact denial of service, such as resource exhaustion or service disruption, but does not compromise confidentiality or integrity.

Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry (bug 2022726) confirm the issue was addressed in Firefox version 150 and Thunderbird version 150. Security practitioners should ensure affected users upgrade to these patched versions to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in client DNS handling (improper input validation + resource consumption) enables remote exploitation to trigger application-level denial of service via resource exhaustion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2020-15660Same vendor: Mozilla
CVE-2023-4047Same product: Mozilla Firefox
CVE-2025-1074Shared CWE-352
CVE-2024-26469Shared CWE-352
CVE-2023-45128Shared CWE-20, CWE-352
CVE-2023-27623Shared CWE-352
CVE-2021-20096Shared CWE-352
CVE-2024-31268Shared CWE-352
CVE-2024-37227Shared CWE-352
CVE-2022-41253Shared CWE-352

Affected Assets

mozilla
firefox
≤ 150.0
mozilla
thunderbird
≤ 150.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces input validation on DNS/network data to block the improper input handling (CWE-20) that leads to resource exhaustion.

prevent

Provides denial-of-service protections that limit uncontrolled resource consumption (CWE-400) from unauthenticated network requests targeting the DNS component.

prevent

Requires timely application of vendor patches, directly addressing the flaw fixed in Firefox/Thunderbird 150.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (2 rules)
  • V-248574 YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. via CWE-20
  • V-248575 OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
RHEL 7 (2 rules)
  • V-204447 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
  • V-204448 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
RHEL 8 (2 rules)
  • V-230264 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
  • V-230265 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20

References