CVE-2026-6758
Description
Use-after-free in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-6758 is a use-after-free vulnerability in Firefox's WebAssembly component, fixed in Firefox 150 and Thunderbird 150, with a high severity CVSS score of 7.5.
CVE-2026-6758 is a use-after-free vulnerability in the WebAssembly component of the JavaScript engine, affecting Firefox and Thunderbird. This memory safety bug occurs when the engine does not properly manage object lifetimes during WebAssembly compilation or execution, leading to a dangling pointer that can be dereferenced by an attacker [1][2].
To exploit this vulnerability, an attacker would need to craft a malicious web page or WebAssembly module that triggers the use-after-free condition. No additional privileges are required beyond convincing the victim to visit the crafted content in a browser context. However, in Thunderbird, scripting is disabled when reading mail, which mitigates the risk for email-based attacks, but the flaw remains exploitable in browser-like contexts within Thunderbird or Firefox [1].
Successful exploitation could allow an attacker to execute arbitrary code or cause a denial of service, as use-after-free bugs often permit memory corruption that can be leveraged for code execution. The vulnerability was assigned a high severity rating under CVSS v3 with a score of 7.5 [1][2].
The vulnerability was fixed in Firefox 150 and Thunderbird 150, released on April 21, 2026. Mozilla credits the discovery to researchers Evyatar Ben Asher, Keane Lucas, and others who used Claude from Anthropic for fuzzing assistance. Users are advised to update to the latest versions to mitigate the risk [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <150
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mozilla.org/security/advisories/mfsa2026-30/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-33/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
50- SHub macOS infostealer variant spoofs Apple security updatesBleepingComputer · May 18, 2026
- CISA Admin Leaked AWS GovCloud Keys on GithubKrebs on Security · May 18, 2026
- SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack ChainSentinelOne Labs · May 18, 2026
- Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation FlawsThe Hacker News · May 18, 2026
- Mozilla warns UK: Breaking VPNs will not magically fix Britain's age-check messThe Register Security · May 18, 2026
- Hackers Earn $1.3 Million at Pwn2Own Berlin 2026SecurityWeek · May 18, 2026
- Debian 13.5 point release lands with security fixes, bug patchesHelp Net Security · May 17, 2026
- Popular node-ipc npm package compromised to steal credentialsBleepingComputer · May 15, 2026
- Chrome 148 Update Patches Critical VulnerabilitiesSecurityWeek · May 15, 2026
- Windows 11 and Microsoft Edge hacked at Pwn2Own Berlin 2026BleepingComputer · May 14, 2026
- Mythos Proves Potent in Vulnerability Discovery, Less Convincing ElsewhereSecurityWeek · May 14, 2026
- How Dangerous Is Anthropic’s Mythos AI?Schneier on Security · May 14, 2026
- Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbitsThe Register Security · May 13, 2026
- 73 Seconds to Breach, 24 Hours to Patch: The Case for Autonomous ValidationBleepingComputer · May 13, 2026
- Patch Tuesday, May 2026 EditionKrebs on Security · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Claude Mythos Finds Only One Curl Vulnerability; Experts Divided on What It Really MeansSecurityWeek · May 12, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Week in review: cPanel vulnerability actively exploited, DigiCert breach, LinkedIn job scamsHelp Net Security · May 10, 2026
- TCLBANKER Banking Trojan Targets Financial Platforms via WhatsApp and Outlook WormsThe Hacker News · May 8, 2026
- Mozilla boasts Mythos boosted Firefox bug cullThe Register Security · May 7, 2026
- ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New StoriesThe Hacker News · May 7, 2026
- Proton Mail brings quantum-safe email encryption to all accountsHelp Net Security · May 6, 2026
- Cleartext Passwords in MS Edge? In 2026?, (Mon, May 4th)SANS Internet Storm Center · May 5, 2026
- Critical Bug Could Expose 300,000 Ollama Deployments to Information TheftSecurityWeek · May 5, 2026
- CloudZ RAT potentially steals OTP messages using Pheno pluginCisco Talos Intelligence · May 5, 2026
- Cisco Moves to Acquire Astrix Security to Tackle Non-Human Identity RisksSecurityWeek · May 4, 2026
- Backdoored PyTorch Lightning package drops credential stealerBleepingComputer · May 4, 2026
- ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & MoreThe Hacker News · May 4, 2026
- US Military Reaches Deals With 7 Tech Companies to Use Their AI on Classified SystemsSecurityWeek · May 3, 2026
- Anthropic Unveils Claude Security to Counter AI-Powered Exploit SurgeSecurityWeek · Apr 30, 2026
- Copy Fail (CVE-2026-31431): Frequently asked questions about Linux kernel privilege escalation vulnerabilityTenable Blog · Apr 30, 2026
- New Python Backdoor Uses Tunneling Service to Steal Browser and Cloud CredentialsThe Hacker News · Apr 30, 2026
- Legacy TLS tour continues with Exchange Online blocking old versions from July 2026The Register Security · Apr 29, 2026
- Legacy TLS tour continues with Exchange Online blocking old versions from July 2026The Register Security · Apr 29, 2026
- Claude Mythos Has Found 271 Zero-Days in FirefoxSchneier on Security · Apr 29, 2026
- Vidar Rises to Top of Chaotic Infostealer MarketDark Reading · Apr 28, 2026
- Brazilian LofyGang Resurfaces After Three Years With Minecraft LofyStealer CampaignThe Hacker News · Apr 28, 2026
- VECT: Ransomware by design, Wiper by accidentCheck Point Research · Apr 28, 2026
- Widely Used Browser Extensions Selling User DataInfosecurity Magazine · Apr 27, 2026
- AI's not going to kill open source code securityThe Register Security · Apr 26, 2026
- Project Glasswing Proved AI Can Find the Bugs. Who's Going to Fix Them?The Hacker News · Apr 23, 2026
- Risky Business #834 -- Vercel gets owned, Mozilla dumps hundreds of Mythos bugsRisky Business · Apr 22, 2026
- DFIR Report – The Gentlemen & SystemBC: A Sneak Peek Behind the ProxyCheck Point Research · Apr 20, 2026
- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026
- Shared Dictionaries: compression that keeps up with the agentic webCloudflare Blog · Apr 17, 2026
- Attackers Actively Exploiting Critical Vulnerability in Ninja Forms – File Upload PluginWordfence Blog · Apr 16, 2026
- Securing the Software Supply Chain: How SentinelOne’s AI EDR Autonomously Blocked the CPU-Z Watering Hole Cyber AttackSentinelOne Labs · Apr 14, 2026
- New 'Storm' Infostealer Remotely Decrypts Stolen CredentialsInfosecurity Magazine · Apr 2, 2026
- ZDI-26-252: Mozilla Firefox IonMonkey Switch Statement Optimization Type Confusion Remote Code Execution VulnerabilityZero Day Initiative · Apr 2, 2026