VYPR
← All advisories
High severity7.5NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-6754

CVE-2026-6754

Description

Use-after-free in the JavaScript Engine component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Mozilla's JavaScript Engine (Firefox/Thunderbird) allows potential code execution; patched in latest versions.

Vulnerability

CVE-2026-6754 is a use-after-free vulnerability in the JavaScript Engine component of Mozilla Firefox and Thunderbird. The root cause is improper memory management, where a freed object is still accessible, leading to memory corruption [1][2].

Exploitation

An attacker can exploit this by crafting malicious JavaScript content that triggers the use-after-free condition. In the Thunderbird product, scripting is disabled when reading email, so exploitation is not possible through email alone but is a risk in browser or browser-like contexts [1][3].

Impact

Successful exploitation could allow an attacker to execute arbitrary code, potentially leading to full system compromise. The vulnerability is rated High severity [2][4].

Mitigation

Mozilla has fixed this vulnerability in Firefox 150, Firefox ESR 115.35 and 140.10, Thunderbird 150, and Thunderbird 140.10. Users are advised to update to these versions [1][4].

References
  1. Security Vulnerabilities fixed in Thunderbird 150
  2. Security Vulnerabilities fixed in Firefox 150
  3. Security Vulnerabilities fixed in Thunderbird 140.10
  4. Security Vulnerabilities fixed in Firefox ESR 140.10

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

5
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.35.0
  • Mozilla Corporation/Thunderbird2 versions
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.10.0
    • (no CPE)range: <150,<140.10
  • Mozilla Corporation/Firefox Esrllm-fuzzy
    Range: <115.35,<140.10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.