CVE-2026-6746
Use-After-Free in Firefox DOM Core & HTML Components
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | to 150.0 (exc) |
| mozilla | firefox | to 115.35.0 (exc) |
| mozilla | firefox | From 140.0 (inc) to 140.10.0 (exc) |
| mozilla | thunderbird | to 140.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6746 is a high-impact use-after-free vulnerability located in the DOM: Core & HTML component of Firefox and Firefox ESR.
A use-after-free bug occurs when a program continues to use a pointer after the memory it points to has been freed, which can lead to memory corruption and exploitation.
This vulnerability was reported by multiple researchers and fixed in Firefox 150, Firefox ESR 115.35, and Firefox ESR 140.10 as part of broader security updates.
How can this vulnerability impact me? :
This use-after-free vulnerability can lead to memory corruption, crashes, and potentially arbitrary code execution.
Exploitation of this vulnerability could allow attackers to execute malicious code within the context of the affected Firefox browser, compromising system security.
The vulnerability affects the security posture of Firefox by exposing it to risks such as privilege escalation, information disclosure, and other security breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-6746 vulnerability, you should update your Firefox or Firefox ESR browser to the fixed versions.
- Upgrade Firefox to version 150 or later.
- Upgrade Firefox ESR to version 115.35 or later.
- Upgrade Firefox ESR to version 140.10 or later.
These updates include fixes for the use-after-free vulnerability in the DOM: Core & HTML component, along with other security improvements that enhance memory safety and prevent potential arbitrary code execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-6746 on compliance with common standards and regulations such as GDPR or HIPAA.