CVE-2026-5733

Vulnerability

Overview

CVE-2026-5733 is a high-severity vulnerability affecting the WebGPU component in Mozilla Firefox and Thunderbird. The issue stems from incorrect boundary conditions within the Graphics subsystem, a type of memory safety flaw that can lead to memory corruption. This vulnerability was reported by Inseo An and is fixed in Firefox 149.0.2 and Thunderbird 149.0.2 [1][2].

Attack

Vector and Exploitation

Exploitation of this flaw requires an attacker to craft a malicious webpage or content that triggers the boundary condition error when processed by the browser's WebGPU API. The vulnerability does not require authentication, but it does require user interaction—the victim must visit the hostile page or load the crafted content. In Thunderbird, scripting is disabled when reading email, so the flaw cannot be exploited through email alone, but it remains a risk in browser-like contexts within the mail application [1].

Impact

An attacker who successfully exploits this vulnerability could achieve arbitrary code execution on the affected system, potentially gaining the same privileges as the user running the browser or mail client. Memory corruption bugs of this class are considered high-impact because they can bypass security boundaries and lead to full system compromise [1][2].

Mitigation

Status

Mozilla has released patched versions: Firefox 149.0.2 and Thunderbird 149.0.2. Users are strongly advised to update to these versions to mitigate the risk. No workarounds are available; the only effective mitigation is applying the security update [1][2].