{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6757", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:52.634Z", "datePublished": "2026-04-21T12:40:52.961Z", "dateUpdated": "2026-04-21T23:34:49.159Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}]}], "title": "Invalid pointer in the JavaScript: WebAssembly component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013588"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:49.159Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}], "id": "CVE-2026-6757", "lastModified": "2026-04-22T00:16:31.597", "metrics": {}, "published": "2026-04-21T13:16:21.690", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013588"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[140.10,140.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T09:43:06.003224+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox\u00a0150 or later, or to Firefox ESR\u00a0140.10 or later if using the ESR branch.", "Upgrade to Thunderbird\u00a0150 or later, or to Thunderbird ESR\u00a0140.10 or later if using the ESR branch.", "If an upgrade cannot be performed immediately, disable WebAssembly in the browser or block untrusted WebAssembly code using extensions or enterprise policies."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird are affected. Versions before Firefox\u00a0150 and Firefox ESR\u00a0140.10, and the corresponding Thunderbird releases before\u00a0150 and ESR\u00a0140.10, contain the vulnerability.", "description_and_impact": "The flaw is an invalid pointer in the JavaScript WebAssembly component that can corrupt memory and potentially enable remote code execution. The description indicates that the bug might be triggered via WebAssembly, suggesting that crafted modules could cause the browser to execute arbitrary code. Based on the description, it is inferred that the impact includes the possibility of remote code execution.", "risk_and_exploitability": "Because the flaw is an out\u2011of\u2011bounds write or use\u2011after\u2011free in the JavaScript engine, an attacker could potentially exploit the bug by delivering malicious WebAssembly code over the network. Based on the description, the likely attack vector is sending crafted WebAssembly modules. No EPSS data is available and the vulnerability is not listed in KEV, implying that no widespread exploitation has been reported yet, but the severe consequence of remote code execution justifies immediate patching."}}}}, "created": "2026-04-21T17:15:25.103990+00:00", "updated": "2026-04-22T09:45:13.089409+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"], "weaknesses": ["CWE-119", "CWE-416"]}