VYPR
← All advisories
High severity7.5NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-6747

CVE-2026-6747

Description

Use-after-free in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Mozilla's WebRTC component could allow an attacker to execute arbitrary code in a browser or browser-like context.

Vulnerability

CVE-2026-6747 is a use-after-free vulnerability in the WebRTC component of Mozilla Firefox and Thunderbird. The bug, reported by Nan Wang, occurs when a previously freed memory object is accessed, leading to potentially exploitable memory corruption [1][2].

Exploitation

An attacker could trigger this vulnerability by convincing a user to visit a specially crafted web page or interact with WebRTC content in a browser-like context. In Thunderbird, scripting is disabled when reading email, so the flaw cannot be exploited through email alone; however, it remains a risk in browser or browser-like contexts [1][3].

Impact

Successful exploitation could allow an attacker to execute arbitrary code in the context of the affected application, potentially leading to system compromise. The vulnerability is rated High with a CVSS v3 score of 7.5.

Mitigation

Mozilla addressed CVE-2026-6747 in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10, all released on April 21, 2026 [1][2][3][4]. Users should update to these versions or later to mitigate the risk.

References
  1. Security Vulnerabilities fixed in Thunderbird 150
  2. Security Vulnerabilities fixed in Firefox 150
  3. Security Vulnerabilities fixed in Thunderbird 140.10
  4. Security Vulnerabilities fixed in Firefox ESR 140.10

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.10.0
  • Mozilla Corporation/Thunderbird
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
    Range: <140.10.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.