CVE-2026-5735

Mozilla · Firefox and Thunderbird

Multiple memory safety vulnerabilities in Mozilla Firefox and Thunderbird could lead to memory corruption and potential arbitrary code execution.

Executive summary

Critical memory safety vulnerabilities in Mozilla Firefox and Thunderbird versions prior to 149.0.2 allow for potential memory corruption and arbitrary code execution.

Vulnerability

The software contains several memory safety bugs that result in memory corruption. These defects could be leveraged by an attacker to execute arbitrary code within the context of the application.

Business impact

The CVSS score of 9.8 underscores the critical nature of this vulnerability, as it allows for Remote Code Execution (RCE). Successful exploitation could result in full user-system compromise, including the theft of sensitive browser data, credentials, or the installation of malware. These risks pose a significant threat to both individual workstation security and corporate network integrity.

Remediation

Immediate Action: Update all installations of Firefox and Thunderbird to version 149.0.2 or later immediately to resolve these memory safety defects.

Proactive Monitoring: Monitor endpoint security logs for signs of application crashes or suspicious behavior originating from the browser or email client.

Compensating Controls: Utilize browser-based security policies and endpoint protection platforms to detect and block malicious payloads that attempt to exploit memory corruption.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

These memory safety vulnerabilities are highly dangerous and require immediate patching. Organizations should deploy the 149.0.2 updates across all enterprise endpoints to protect against potential exploitation of these memory corruption flaws.