CVE-2026-7320
Description
Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-7320 is an information disclosure vulnerability in Firefox and Thunderbird's Audio/Video component due to incorrect boundary conditions, fixed in versions released April 2026.
Vulnerability
Overview
CVE-2026-7320 is an information disclosure vulnerability caused by incorrect boundary conditions in the Audio/Video component of Firefox and Thunderbird [1][2][3][4]. The flaw can lead to unintended memory read operations, potentially exposing sensitive data.
Exploitation
Context
In Thunderbird, scripting is disabled when reading email, making direct exploitation through email unlikely [1][2]. However, in browser or browser-like contexts, an attacker could potentially trigger the vulnerability by presenting crafted audio or video content to the user, leading to information disclosure.
Impact
Successful exploitation could allow an attacker to read memory contents, resulting in information disclosure. The vulnerability is rated High severity with a CVSS v3 score of 7.5.
Mitigation
Mozilla has addressed this vulnerability in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1 [1][2][3][4]. Users are advised to update to the latest versions to mitigate the risk.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0.1
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.35.1
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <150.0.1
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.10.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2026-35/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-36/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-37/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-38/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-39/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.