VYPR
← All advisories
Medium severity6.5NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-6764

CVE-2026-6764

Description

Incorrect boundary conditions in the DOM: Device Interfaces component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Incorrect boundary conditions in the DOM: Device Interfaces component could lead to memory corruption, fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

CVE-2026-6764 is a memory safety vulnerability caused by incorrect boundary conditions in the DOM: Device Interfaces component of Mozilla products. This flaw can result in memory corruption when processing specially crafted web content.

Exploitation requires an attacker to convince a user to visit a malicious web page in a browser context where scripting is enabled. In Thunderbird, scripting is disabled when reading email, so the vulnerability is not exploitable through email messages but remains a risk in browser-like contexts (e.g., when viewing HTML content with scripting enabled) [1][3].

Successful exploitation could allow an attacker to corrupt memory, potentially leading to arbitrary code execution. The CVSS v3 base score is 6.5 (Medium), though the Mozilla advisories rate the impact as high [1][2][3][4].

The vulnerability is patched in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10. Users are advised to update to these versions or later to mitigate the risk [1][2][3][4].

References
  1. Security Vulnerabilities fixed in Thunderbird 150
  2. Security Vulnerabilities fixed in Firefox 150
  3. Security Vulnerabilities fixed in Thunderbird 140.10
  4. Security Vulnerabilities fixed in Firefox ESR 140.10

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • Mozilla Corporation/Firefox2 versions
    cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
    • cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.10.0
  • Mozilla Corporation/Thunderbird
    cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
    Range: >=140.0,<140.10.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.