CVE-2026-6749
Information Disclosure via Uninitialized Memory in Firefox Canvas2D
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | to 150.0 (exc) |
| mozilla | firefox | to 115.35.0 (exc) |
| mozilla | firefox | From 140.0 (inc) to 140.10.0 (exc) |
| mozilla | thunderbird | to 140.10.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-908 | The product uses or accesses a resource that has not been initialized. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an information disclosure issue caused by uninitialized memory in the Graphics: Canvas2D component of Firefox. Essentially, some memory that should have been properly initialized before use was not, which could lead to unintended exposure of sensitive data.
How can this vulnerability impact me? :
The impact of this vulnerability is information disclosure. An attacker could potentially access sensitive information from uninitialized memory within the Canvas2D graphics component, which might include data from other processes or users.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your Firefox browser to version 150 or later, or update Firefox ESR to versions 115.35 or 140.10 or later where the issue has been fixed.