VYPR
← All advisories
High severity7.5NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-6759

CVE-2026-6759

Description

Use-after-free in the Widget: Cocoa component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Mozilla Widget:Cocoa component allowing code execution; fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Vulnerability

Overview CVE-2026-6759 is a use-after-free vulnerability in the Widget: Cocoa component of Mozilla Firefox and Thunderbird [1][2][3][4]. This memory safety bug occurs when the program continues to use a pointer after the referenced memory has been freed, potentially leading to exploitable conditions.

Exploitation

Exploitation requires crafted content that triggers the use-after-free. In Thunderbird, scripting is disabled in email, so this flaw cannot be exploited through mail alone [1][3]. However, in browser or browser-like contexts (e.g., Firefox), an attacker could deliver the exploit via a malicious webpage.

Impact

Successful exploitation could allow arbitrary code execution, leading to full system compromise under the user's privileges. The vulnerability is rated High severity with a CVSS v3 score of 7.5.

Mitigation

Mozilla addressed this vulnerability in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10, released on April 21, 2026 [1][2][3][4]. Users are advised to update to these or later versions.

References
  1. Security Vulnerabilities fixed in Thunderbird 150
  2. Security Vulnerabilities fixed in Firefox 150
  3. Security Vulnerabilities fixed in Thunderbird 140.10
  4. Security Vulnerabilities fixed in Firefox ESR 140.10

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Mozilla Corporation/Firefox3 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.10.0
    • (no CPE)range: <150
  • Mozilla Corporation/Thunderbird
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
    Range: >=140.0,<140.10.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.