Firefox and Thunderbird Memory Safety Vulnerabilities — April 2026 Patch Tuesday
Mozilla patched a broad collection of memory safety bugs in Firefox 150 released on April 21, 2026, addressing vulnerabilities across all current and ESR release branches. CVE-2026-6785 covers the widest scope of these fixes — affecting Firefox 149, Firefox ESR 140.9, Firefox ESR 115.34, Thunderbird 149, and Thunderbird ESR 140.9.
Mozilla's advisory states: "some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code."
The Firefox 150 release addressed 41 security vulnerabilities in total, making it one of the larger Mozilla security releases. CVE-2026-6785 is the most broadly applicable memory-safety CVE in the batch, spanning both current and both ESR branches.
Vulnerability Details
| Detail | Value |
|---|---|
| CVE ID | CVE-2026-6785 |
| CWE | CWE-125 (Out-of-bounds Read), CWE-416 (Use-After-Free), CWE-787 (Out-of-bounds Write) |
| CVSS 3.1 | 8.1 High (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| Attack Vector | Network — no authentication, no user interaction |
| Attack Complexity | High — significant attacker effort required to weaponize |
| Affected Products | Firefox 149, Firefox ESR 140.9, Firefox ESR 115.34, Thunderbird 149, Thunderbird ESR 140.9 |
| Patched In | Firefox 150, Firefox ESR 140.10, Firefox ESR 115.35, Thunderbird 150, Thunderbird ESR 140.10 |
| Published | April 21, 2026 (MFSA 2026-30) |
| Exploited in Wild | No known active exploitation |
| Discovery | Mozilla internal security audit / fuzzing |
Memory Corruption Classes Covered
CVE-2026-6785 is a "memory safety catch-all" CVE covering multiple fuzzer-found bugs across the Gecko engine:
| CWE | Type | Risk |
|---|---|---|
| CWE-125 | Out-of-bounds Read | Information disclosure, crash |
| CWE-416 | Use-After-Free | Heap corruption, potential RCE |
| CWE-787 | Out-of-bounds Write | Memory corruption, potential RCE |
Use-after-free and out-of-bounds write primitives are the most dangerous — attackers can chain these in browser exploitation chains to achieve arbitrary code execution in the renderer process.
Why AC:H Constrains the Score
The CVSS Attack Complexity of High reflects that exploitation requires the attacker to engineer a specific heap layout or race condition to reliably trigger and control the memory corruption. This is standard for batch-reported memory safety CVEs where no single easily-weaponizable primitive has been isolated, reducing the score from the theoretical maximum despite high confidentiality/integrity/availability impact.
Related CVEs in Firefox 150 (MFSA 2026-30)
| CVE | Scope | Severity |
|---|---|---|
| CVE-2026-6784 | Firefox 149, Thunderbird 149 only | High |
| CVE-2026-6785 | All branches (ESR 115, ESR 140, current) | High — CVSS 8.1 |
| CVE-2026-6786 | Firefox ESR 140.10, Firefox 150 only | High |
| CVE-2026-6746 | Use-after-free in DOM | High |
| CVE-2026-6747 | Use-after-free in WebRTC | High |
| CVE-2026-6770 | IndexedDB Tor fingerprinting | High |
| CVE-2026-6778 | Invalid pointer in Audio/Video Playback | Low |
CVE-2026-6785 is notable as the only memory safety CVE affecting all three ESR branches simultaneously — Firefox ESR 115.34, Firefox ESR 140.9, and the current Firefox 149 — making it the highest-priority patch for organizations running any version of Firefox or Thunderbird.
Impact Assessment
| Impact Area | Description |
|---|---|
| Scope | Potential arbitrary code execution in the browser/email client process |
| Attack Surface | Malicious webpage or email with crafted content triggering the memory corruption |
| Exploitation difficulty | High — requires specific heap grooming; no known public PoC |
| Enterprise exposure | Firefox ESR 115.x and 140.x are common in corporate environments — both branches are affected |
| Thunderbird risk | Thunderbird users processing HTML emails from untrusted senders are also in scope |
Recommendations
Update Immediately
| Product | Vulnerable | Safe Version |
|---|---|---|
| Firefox | 149 and earlier | 150 or later |
| Firefox ESR 140.x | 140.9 and earlier | 140.10 or later |
| Firefox ESR 115.x | 115.34 and earlier | 115.35 or later |
| Thunderbird | 149 and earlier | 150 or later |
| Thunderbird ESR 140.x | 140.9 and earlier | 140.10 or later |
For IT Administrators
- Deploy Firefox 150 / ESR 140.10 / ESR 115.35 via your patch management system — all are available from Mozilla
- Prioritize ESR branches — ESR 115 and 140 are the most commonly deployed in enterprise environments
- Include Thunderbird in the patch cycle — HTML email processing shares the same vulnerable Gecko engine
- Enable automatic updates where policy allows — Mozilla's rapid release cadence means manual patching creates long exposure windows
Key Takeaways
- CVE-2026-6785 (CVSS 8.1) covers memory corruption bugs across the widest set of Firefox and Thunderbird branches, making it the highest-priority fix in the Firefox 150 release
- Firefox ESR 115.34 and ESR 140.9 are both affected — organizations on extended support releases cannot defer this patch
- Thunderbird is equally exposed — email clients using Gecko are in scope for memory corruption via crafted HTML content
- No active exploitation has been reported, but the AC:H classification reflects engineering difficulty, not invulnerability — sophisticated threat actors can and do exploit browser memory corruption
- Firefox 150 addresses 41 total vulnerabilities — this release should be treated as a high-priority monthly patch cycle update