CRITICAL🇵🇱 Wersja polska

CVE-2026-5735

CVSS 9.8v3.1pub. 2026-04-07upd. 2026-06-30

Memory safety bugs present in Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.

🤖 AI Analysis
How it works

The vulnerability results from out-of-bounds write errors in the memory management of the browser/email client engine. Some of the detected errors led to process memory corruption, which provides a basis for their exploitation to gain control over the program's execution flow. An attacker can deliver specially crafted content (e.g., a website or email message) that triggers the vulnerable code without requiring authentication or user interaction.

Impact

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code remotely (RCE) in the context of a Firefox or Thunderbird process, which may lead to complete compromise of the user session, data breach, or malicious software installation.

Mitigation & patch

Mozilla Firefox should be updated immediately to version 149.0.2 or later, and Mozilla Thunderbird should be updated to version 149.0.2 or later. Patches are available through the automatic update mechanism or directly from the manufacturer's websites indicated in the references.

Who is affected

Mozilla Firefox 149.0.1 and Mozilla Thunderbird 149.0.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 149.0.2
  • Mozilla Thunderbird

    APP
    Mozilla
    < 149.0.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...