CVE-2026-6767
Description
Other issue in the Libraries component in NSS. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-6767 is an unspecified issue in the NSS Libraries component, fixed in Firefox 150, Firefox ESR 115.35/140.10, Thunderbird 150, and Thunderbird 140.10.
Vulnerability
Overview
CVE-2026-6767 is an unspecified issue in the Libraries component of Network Security Services (NSS) [1][1][2][3][4]. The vulnerability was addressed in multiple Mozilla products, including Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10][1][2][3][4]. The exact nature of the bug is not detailed in the available advisories, but it is classified as a security issue with a CVSS v3 score of 5.3 (Medium severity).
Exploitation
Context
According to the Mozilla advisories, these flaws cannot be exploited through email in the Thunderbird email client because scripting is disabled when reading mail][1][3]. However, the vulnerability poses a risk in browser or browser-like contexts where scripting is enabled][1][3]. The attack surface would likely involve a crafted web page or content that triggers the NSS library issue, potentially requiring user interaction such as visiting a malicious site.
Impact
An attacker exploiting this vulnerability could lead to unspecified impacts, but given the medium severity and the component (NSS), it may involve cryptographic operations or certificate handling. The advisory does not provide specific details on the consequences of exploitation.
Mitigation
Mozilla has released patches for the affected products: Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10][1][2][3][4]. Users are advised to update to these versions to mitigate the risk. No workarounds are mentioned in the advisories.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.35.0
- (no CPE)range: = 150
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: >=140.0,<140.10.0
- (no CPE)range: = 150
- Range: = 115.35, = 140.10
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2026-30/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-31/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-32/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-33/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-34/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.