Memory Safety Vulnerabilities in Firefox and Thunderbird by Mozilla
CVE-2026-5731

9.8CRITICAL

Key Information:

Vendor: Mozilla
Status: Firefox; Firefox Esr; Thunderbird
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-5731?

Multiple memory safety bugs have been identified in Firefox and Thunderbird that could lead to potential memory corruption. These vulnerabilities affect specific versions of the products which, if successfully exploited, may allow attackers to execute arbitrary code on affected systems. Users are advised to upgrade to the patched versions to mitigate these risks effectively.

Affected Version(s)

Firefox < 149.0.2

Firefox ESR < 115.34.1

Firefox ESR < 140.9.1

References

https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021894%2...

https://www.mozilla.org/security/advisories/mfsa2026-25/

https://www.mozilla.org/security/advisories/mfsa2026-26/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 7, 2026

Credit

Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team

CVE-2026-5731 Data

JSON