CVE-2026-6752
Description
Incorrect boundary conditions in the WebRTC component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect boundary conditions in Firefox and Thunderbird's WebRTC component could allow memory corruption, fixed in versions 150, 115.35, 140.10.
Vulnerability
CVE-2026-6752 is a high-severity vulnerability in the WebRTC component of Mozilla Firefox and Thunderbird, caused by incorrect boundary conditions [1][2]. This memory safety bug can lead to memory corruption when processing specially crafted WebRTC data.
Exploitation
An attacker could exploit this vulnerability by convincing a user to visit a malicious website or interact with crafted WebRTC content in a browser-like context. In Thunderbird, scripting is disabled when reading mail, so the flaw cannot be exploited through email directly, but it remains a risk in browser or browser-like contexts [1][3].
Impact
Successful exploitation could allow an attacker to corrupt memory, potentially leading to arbitrary code execution or other high-impact consequences. The CVSS v3 score is 7.3, reflecting the high severity of the issue.
Mitigation
Mozilla addressed the vulnerability in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10, all released on April 21, 2026 [1][2][3][4]. Users should update to these versions or later to mitigate the risk.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.35.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*Range: >=140.0,<140.10.0
- Range: <115.35 or <140.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2026-30/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-31/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-32/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-33/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-34/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.