{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6756", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:51.756Z", "datePublished": "2026-04-21T12:40:52.082Z", "dateUpdated": "2026-04-22T15:35:12.113Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150."}]}], "title": "Mitigation bypass in Firefox for Android", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992585"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}], "credits": [{"lang": "en", "value": "Hafiizh & Kang Ali"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T12:40:52.082Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:29:47.387240Z", "id": "CVE-2026-6756", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:35:12.113Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Mitigation bypass in Firefox for Android", "credits": [{"lang": "en", "value": "Hafiizh & Kang Ali"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992585"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}], "descriptions": [{"lang": "en", "value": "Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.", "supportingMedia": [{"type": "text/html", "value": "Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T12:40:52.082Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6756", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:29:47.387240Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-22T14:25:17.215Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-6756", "state": "PUBLISHED", "dateUpdated": "2026-04-21T12:40:52.082Z", "dateReserved": "2026-04-21T12:40:51.756Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:40:52.082Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "67B01D49-66FA-4C76-9EB4-2B8CD61FBEB2", "versionEndExcluding": "150.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Mitigation bypass in Firefox for Android. This vulnerability was fixed in Firefox 150."}], "id": "CVE-2026-6756", "lastModified": "2026-04-22T17:40:12.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:21.593", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1992585"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Mitigation bypass in Firefox for Android", "id": "2460072", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460072"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-807", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nMitigation bypass in Firefox for Android"], "name": "CVE-2026-6756", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-21T12:40:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6756\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6756\nhttps://www.mozilla.org/security/advisories/mfsa2026-30/#CVE-2026-6756"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-27T19:52:41.596398+00:00", "value": {"mitigation_remediation": ["Upgrade Firefox for Android to version 150 or later", "If an upgrade is not possible, limit the browser to offline or trusted networks until a patch is available", "Continuously monitor the device for signs of anomalous activity that may indicate exploitation"], "summary": {"action": "Immediate Patch", "impact": "Mitigation Bypass"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox for Android versions before 150 are potentially affected. All releases earlier than 150 are included because the CVE record does not provide finer version granularity, so any older build of the browser on an Android device may be vulnerable.", "description_and_impact": "This vulnerability allows an attacker to disable or bypass built\u2011in security mitigations within Firefox for Android. The flaw is associated with CWE\u2011200 (Information Exposure) and CWE\u2011807 (Improper Neutralization of Input During Web Page Generation), meaning that sensitive data could be disclosed or improperly handled. By disabling mitigations, an attacker could reduce the browser\u2019s protection against various exploits, thereby potentially enabling compromise of the user device or data.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high severity. The EPSS score is less than 1%, suggesting that the recorded probability of exploitation is very low. The issue is not listed in CISA KEV, so no confirmed exploitation has been documented. Based on the description, it is inferred that exploitation would involve the attacker providing malicious web content that the browser would then process with the bypassed mitigations. If that condition is met, the potential impact could be significant, but currently no live exploitation is known."}}}}, "created": "2026-04-21T16:45:15.077721+00:00", "updated": "2026-04-27T20:00:05.654841+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}