CVE-2026-6778
Published: 21 April 2026
Summary
CVE-2026-6778 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Mozilla Firefox. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Invalid pointer dereference in browser media playback directly enables application crash via exploitation, matching T1499.004 Endpoint Denial of Service (Application or System Exploitation).
NVD Description
Invalid pointer in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Deeper analysisAI
CVE-2026-6778 is an invalid pointer vulnerability (CWE-476, CWE-824) in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). The issue was addressed in Firefox 150 and Thunderbird 150.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction or privileges. Successful exploitation results in a low-impact denial of service, such as application crashes affecting availability.
Mozilla's security advisories MFSA2026-30 and MFSA2026-33 provide details on the vulnerability and patches, recommending upgrades to Firefox 150 or Thunderbird 150. Further technical information is available in Bugzilla ticket 2022746.
Details
- CWE(s)