{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6746", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:43.779Z", "datePublished": "2026-04-21T12:40:44.148Z", "dateUpdated": "2026-04-22T15:08:34.207Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "115.35", "lessThanOrEqual": "115.*", "versionType": "rpm"}, {"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}]}], "title": "Use-after-free in the DOM: Core & HTML component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014596"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-31/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:37.002Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:08:29.668813Z", "id": "CVE-2026-6746", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:08:34.207Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6746", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:08:29.668813Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:41:50.489Z"}}], "cna": {"title": "Use-after-free in the DOM: Core & HTML component", "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "115.35", "versionType": "rpm", "lessThanOrEqual": "115.*"}, {"status": "unaffected", "version": "140.10", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "140.10", "versionType": "rpm", "lessThanOrEqual": "140.*"}, {"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014596"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-31/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "descriptions": [{"lang": "en", "value": "Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "value": "Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:37.002Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6746", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:08:34.207Z", "dateReserved": "2026-04-21T12:40:43.779Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:40:44.148Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "E69D71F5-CAAA-4F28-AB9F-9F898A52D506", "versionEndExcluding": "115.35.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "67B01D49-66FA-4C76-9EB4-2B8CD61FBEB2", "versionEndExcluding": "150.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "matchCriteriaId": "528443E0-C15A-4E70-9187-8E1BAAE84A42", "versionEndExcluding": "140.10.0", "versionStartIncluding": "140.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "matchCriteriaId": "48217E2F-FFD3-4385-B962-15365B293DA7", "versionEndExcluding": "140.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 150, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}], "id": "CVE-2026-6746", "lastModified": "2026-04-22T14:38:12.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:20.720", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014596"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-31/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Use-after-free in the DOM: Core & HTML component", "id": "2460112", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460112"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-825", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nUse-after-free in the DOM: Core & HTML component"], "name": "CVE-2026-6746", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-21T12:40:44Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6746\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6746\nhttps://www.mozilla.org/security/advisories/mfsa2026-30/#CVE-2026-6746\nhttps://www.mozilla.org/security/advisories/mfsa2026-31/#CVE-2026-6746\nhttps://www.mozilla.org/security/advisories/mfsa2026-32/#CVE-2026-6746"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[115.35,115.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[140.10,140.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T06:57:43.123809+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 150 or Thunderbird 150, or to the corresponding ESR releases (Firefox ESR 115.35 or 140.10, Thunderbird ESR 115.35 or 140.10) if using an ESR branch.", "Ensure that automatic updates are enabled so that the latest security fixes are applied without manual intervention.", "Monitor Mozilla\u2019s security advisories for future patches and consider applying interim mitigations such as disabling JavaScript or other risky features for untrusted content, while awaiting a permanent fix."], "summary": {"action": "Patch Immediately", "impact": "Use\u2011after\u2011free leading to potential code execution"}, "threat_synthesis": {"affected_systems": "All Mozilla Firefox releases prior to version 150, Firefox ESR 115.35 and 140.10, as well as Thunderbird 150 and Thunderbird 140.10, are vulnerable. Any system running the affected builds is at risk.", "description_and_impact": "This vulnerability is a use\u2011after\u2011free condition in the browser\u2019s DOM core and HTML handling logic. It allows an attacker to exploit a freed memory region that may still be accessed, potentially enabling arbitrary code execution in the context of the browser process. The weakness corresponds to CWE\u2011416 and could compromise confidentiality, integrity, or availability for the affected user if malicious content is processed.", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity for use\u2011after\u2011free bugs in a mainstream browser. Since the EPSS score is unavailable and the vulnerability is not listed in CISA KEV, precise exploitation likelihood cannot be quantified. Based on the description, the likely attack vector is through a crafted web page or script that triggers the DOM bug during normal browsing activities."}}}}, "created": "2026-04-21T17:00:11.952872+00:00", "updated": "2026-04-22T07:00:12.127889+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}