{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6780", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:41:10.075Z", "datePublished": "2026-04-21T12:41:10.362Z", "dateUpdated": "2026-04-21T23:35:16.382Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}]}], "title": "Denial-of-service in the Audio/Video: Playback component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2025179"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "credits": [{"lang": "en", "value": "LatticeBased"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:35:16.382Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:54:24.377166Z", "id": "CVE-2026-6780", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:54:47.792Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6780", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:54:24.377166Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:54:44.033Z"}}], "cna": {"title": "Denial-of-service in the Audio/Video: Playback component", "credits": [{"lang": "en", "value": "LatticeBased"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2025179"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "descriptions": [{"lang": "en", "value": "Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "value": "Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:35:16.382Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6780", "state": "PUBLISHED", "dateUpdated": "2026-04-21T23:35:16.382Z", "dateReserved": "2026-04-21T12:41:10.075Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:41:10.362Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Denial-of-service in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}], "id": "CVE-2026-6780", "lastModified": "2026-04-22T00:16:52.607", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:23.683", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2025179"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T06:48:54.305537+00:00", "value": {"mitigation_remediation": ["Update Firefox and Thunderbird to version 150 or newer.", "Avoid opening untrusted media files or email attachments until the client is updated.", "Apply OS-level or container resource limits to restrict media playback processes."], "summary": {"action": "Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Thunderbird are affected. Versions prior to 150 are susceptible, as the bug was fixed in Firefox 150 and Thunderbird 150.", "description_and_impact": "The updated description confirms a denial\u2011of\u2011service vulnerability in the Audio/Video: Playback component. Maliciously crafted playback data can cause the browser or email client process to exhaust system resources, crash, or become unresponsive. The flaw is a classic resource exhaustion case where input is accepted without proper bounds checking, leading to repeated unstable operations and loss of availability for users attempting to play media content.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high\u2011severity denial\u2011of\u2011service issue. EPSS data is not available and is not listed in CISA\u2019s KEV catalog, so no public exploitation data is currently known. Although it does not provide code execution, this flaw can degrade availability and may be combined with other vulnerabilities to increase overall attack impact."}}}}, "created": "2026-04-21T17:15:25.103144+00:00", "updated": "2026-04-22T07:00:12.121316+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}