CVE-2026-6780
Published: 21 April 2026
Summary
CVE-2026-6780 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 16.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely flaw remediation through patching to versions like Firefox/Thunderbird 150, directly eliminating the uncontrolled resource consumption vulnerability.
Provides architectural and technical protections specifically against denial-of-service attacks, including resource exhaustion from malformed audio/video inputs.
Ensures resource availability by monitoring and managing processor, memory, and other resources to mitigate excessive consumption triggered by malicious media playback.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote DoS via malformed audio/video input causing uncontrolled resource consumption (CWE-400) in the client application, directly enabling application exhaustion attacks that lead to crashes or unavailability.
NVD Description
Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
Deeper analysisAI
CVE-2026-6780 is a denial-of-service vulnerability in the Audio/Video: Playback component of Mozilla Firefox and Thunderbird. Published on 2026-04-21, it stems from CWE-400 (Uncontrolled Resource Consumption) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The issue affects versions of Firefox and Thunderbird prior to 150, where malformed input to the playback component could trigger excessive resource usage.
A remote attacker can exploit this vulnerability over the network with low complexity, requiring no privileges, authentication, or user interaction. By crafting and delivering malicious audio or video content—such as via a web page, email attachment, or direct file handling—the attacker can cause the affected browser or mail client to consume significant resources, leading to application crashes, browser hangs, or system-wide denial of service with high availability impact but no effects on confidentiality or integrity.
Mozilla's security advisories (MFSA 2026-30 and MFSA 2026-33) and the associated Bugzilla entry (bug 2025179) confirm the vulnerability was addressed in Firefox 150 and Thunderbird 150. Mitigation involves updating to these patched versions, with no additional workarounds specified.
Details
- CWE(s)