VYPR
← All advisories
High severity7.5NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-6746

CVE-2026-6746

Description

Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in Firefox and Thunderbird's DOM: Core & HTML component could lead to a potentially exploitable crash.

Vulnerability

Overview

CVE-2026-6746 is a use-after-free vulnerability in the DOM: Core & HTML component of Mozilla Firefox and Thunderbird. The issue was discovered by a team of researchers using Claude from Anthropic and reported via Bug 2014596 [1][2]. A use-after-free occurs when a program continues to use a memory reference after the memory has been freed, which can lead to a crash or potentially allow an attacker to execute arbitrary code.

Exploitation

Context

In the Firefox browser, this vulnerability could be triggered by visiting a specially crafted web page. For Thunderbird, the advisory notes that scripting is disabled when reading email, so the flaw cannot be exploited through email in the Thunderbird product. However, it remains a risk in browser or browser-like contexts [1][3].

Impact

If successfully exploited, an attacker could cause a denial of service via a crash, or potentially achieve arbitrary code execution. The vulnerability is rated High severity with a CVSS v3 score of 7.5.

Mitigation

Mozilla has fixed this vulnerability in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10 [1][2][3][4]. Users are advised to update to these versions or later to protect against potential exploitation.

References
  1. Security Vulnerabilities fixed in Thunderbird 150
  2. Security Vulnerabilities fixed in Firefox 150
  3. Security Vulnerabilities fixed in Thunderbird 140.10
  4. Security Vulnerabilities fixed in Firefox ESR 140.10

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Mozilla Corporation/Firefox3 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.35.0
    • (no CPE)range: 150
  • Mozilla Corporation/Thunderbird
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
    Range: <140.10.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.