CVE-2026-6777
Published: 21 April 2026
Summary
CVE-2026-6777 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6777 is an unspecified vulnerability classified as "other issue" in the Networking: DNS component of Mozilla Firefox and Thunderbird. The flaw, associated with CWE-20 (Improper Input Validation), CWE-352 (Cross-Site Request Forgery), and CWE-400 (Uncontrolled Resource Consumption), carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with primary impact on availability.
Remote attackers can exploit this vulnerability over the network without authentication or user interaction, requiring low attack complexity. Successful exploitation results in a low-impact denial of service, such as resource exhaustion or service disruption, but does not compromise confidentiality or integrity.
Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry (bug 2022726) confirm the issue was addressed in Firefox version 150 and Thunderbird version 150. Security practitioners should ensure affected users upgrade to these patched versions to mitigate the risk.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24118
Vulnerability details
Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in client DNS handling (improper input validation + resource consumption) enables remote exploitation to trigger application-level denial of service via resource exhaustion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces input validation on DNS/network data to block the improper input handling (CWE-20) that leads to resource exhaustion.
Provides denial-of-service protections that limit uncontrolled resource consumption (CWE-400) from unauthenticated network requests targeting the DNS component.
Requires timely application of vendor patches, directly addressing the flaw fixed in Firefox/Thunderbird 150.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (2 rules)
- V-248574 YUM must be configured to prevent the installation of patches, service packs, device drivers, or OL 8 system components that have not been digitally signed using a certificate that is recognized and approved by the organization. via CWE-20
- V-248575 OL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
RHEL 7 (2 rules)
- V-204447 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
- V-204448 The Red Hat Enterprise Linux operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
RHEL 8 (2 rules)
- V-230264 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20
- V-230265 RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. via CWE-20