CVE-2026-6746: Use-After-Free in Firefox Core & HTML Component
Platform
firefox
Component
firefox-core-html-component
Fixed in
150.0.0
150.0.0
CVE-2026-6746 describes a use-after-free vulnerability discovered in the Firefox Core and HTML components. This type of vulnerability can lead to unexpected application crashes or, more critically, allow an attacker to execute arbitrary code. The vulnerability affects Firefox versions 115.0.0 through 140.* and has been resolved in Firefox 150.0.0, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
Impact and Attack Scenarios
A use-after-free vulnerability occurs when a program attempts to access memory that has already been freed. In the context of Firefox, this could allow an attacker to craft a malicious web page that, when visited by a user, triggers the vulnerability. Successful exploitation could lead to a denial-of-service (DoS) by crashing the browser, or, more seriously, allow the attacker to execute arbitrary code within the context of the user's browser session. This could enable the attacker to steal sensitive data, install malware, or take control of the user's system. The impact is amplified if the user has elevated privileges or access to sensitive information.
Exploitation Context
CVE-2026-6746 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the use-after-free nature of the vulnerability makes it a potential target for exploitation. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Threat Intelligence
Exploit Status
EPSS
0.06% (19% percentile)
Affected Software
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-6746 is to upgrade to a patched version of Firefox or Thunderbird. Specifically, upgrade to Firefox 150.0.0 or later, Firefox ESR 115.35 or later, Firefox ESR 140.10 or later, Thunderbird 150 or later, or Thunderbird 140.10 or later. If immediate upgrading is not possible, consider implementing stricter content security policies (CSP) to limit the potential attack surface. While not a direct fix, CSP can restrict the resources a page can load, potentially hindering exploitation. Monitor network traffic for unusual patterns or connections that might indicate exploitation attempts. After upgrading, confirm the fix by visiting a known safe website and verifying that the browser version reflects the patched version.
How to fix
Update to Firefox version 150 or later, Firefox ESR version 115.35 or later, Firefox ESR version 140.10 or later, Thunderbird version 150 or later, or Thunderbird version 140.10 or later to mitigate this use-after-free vulnerability.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-6746 — Use-After-Free in Firefox Core & HTML Component?
CVE-2026-6746 is a use-after-free vulnerability affecting Firefox Core and HTML components, potentially leading to crashes or code execution. It impacts versions 115.0.0–140.* and is fixed in Firefox 150.0.0 and later.
Am I affected by CVE-2026-6746 in Firefox Core & HTML Component?
You are affected if you are using Firefox or Thunderbird versions 115.0.0 through 140.*. Check your browser version and upgrade if necessary.
How do I fix CVE-2026-6746 in Firefox Core & HTML Component?
Upgrade to Firefox 150.0.0 or later, Firefox ESR 115.35 or later, Firefox ESR 140.10 or later, Thunderbird 150 or later, or Thunderbird 140.10 or later.
Is CVE-2026-6746 being actively exploited?
No public exploits are currently known, but the vulnerability's nature makes it a potential target.
Where can I find the official Firefox advisory for CVE-2026-6746?
Refer to the official Mozilla security advisory page for details: https://www.mozilla.org/en-US/security/advisories/
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.