Use-After-Free Vulnerability in Firefox and Firefox ESR Products
CVE-2026-6746

Currently unrated

Key Information:

Vendor

Mozilla
Status
Firefox
Vendor
CVE Published:
21 April 2026

What is CVE-2026-6746?

A use-after-free vulnerability exists in the DOM component of the Firefox web browser. This issue arises when the memory is accessed after it has been freed, potentially allowing attackers to execute arbitrary code. The vulnerability has been addressed in Firefox version 150 and specific Firefox ESR versions (115.35 and 140.10), highlighting the importance of updating to secure versions to mitigate associated risks.

Affected Version(s)

Firefox 115.35

Firefox 140.10

Firefox 150

References

https://bugzilla.mozilla.org/show_bug.cgi?id=2014596
https://www.mozilla.org/security/advisories/mfsa2026-30/
https://www.mozilla.org/security/advisories/mfsa2026-31/

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic
.