Platform
firefox
Component
firefox
Fixed in
115.34.1
140.9.1
149.0.2
CVE-2026-5731 represents a collection of memory safety bugs discovered in Mozilla Firefox and Thunderbird. These bugs, characterized by evidence of memory corruption, could potentially be exploited to execute arbitrary code with sufficient effort. The vulnerability impacts Firefox versions 115.34.0 through 140.*, as well as Firefox ESR and Thunderbird ESR 115.34.0 and 140.9.0, and Firefox and Thunderbird 149.0.1. A patch addressing this issue has been released.
A security vulnerability (CVE-2026-5731) has been identified in Firefox and Thunderbird ESR, as well as non-ESR versions of Firefox. This vulnerability stems from memory safety bugs, where code doesn't handle memory correctly, potentially leading to memory corruption. While no real-world attacks have been reported, researchers have found evidence of memory corruption, suggesting a skilled attacker could potentially exploit this vulnerability to execute arbitrary code on the user's system. Affected versions include Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. The severity of this vulnerability is significant due to the potential for remote code execution.
The vulnerability lies in how Firefox and Thunderbird handle certain memory operations. While no public exploit has been demonstrated, the evidence of memory corruption indicates that an attacker could craft a malicious input that, when processed by the browser, causes a memory safety failure. This failure could allow the attacker to inject and execute malicious code, gaining control over the user's system. The complexity of exploitation will depend on the specific nature of the memory error and the security protections implemented in the operating system and browser. Mozilla is expected to continue monitoring the situation and providing updates if new information is discovered.
Exploit Status
EPSS
0.07% (22% percentile)
Mozilla has released security updates to address this vulnerability. We strongly recommend all Firefox and Thunderbird users update to the patched versions as soon as possible. The patched versions are Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1. Ensure you have automatic updates enabled to proactively receive these security fixes. If you cannot update immediately, consider disabling JavaScript as a temporary measure, although this may affect the functionality of some websites. Keeping your software updated is a best practice for protecting against security vulnerabilities.
Actualice Firefox a la versión 149.0.2 o posterior, Firefox ESR a la versión 115.34.1 o 140.9.1, Thunderbird a la versión 149.0.2 o 140.9.1 para mitigar la vulnerabilidad de corrupción de memoria. Verifique las notas de la versión para obtener instrucciones de instalación específicas.
Vulnerability analysis and critical alerts directly to your inbox.
It's a unique identifier for a security vulnerability in Firefox and Thunderbird.
Yes, it is highly recommended to update to the latest version to protect yourself from this vulnerability.
You can update manually from the 'Help' menu or enable automatic updates in the settings.
It's an error where computer memory is used incorrectly, which can cause instability or allow malicious code execution.
As a temporary measure, consider disabling JavaScript, but be aware that this may affect the functionality of some websites.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.