Platform
firefox
Component
firefox
Fixed in
150.0.0
140.10
150.0.0
CVE-2026-6749 describes an Information Disclosure vulnerability discovered in Mozilla Firefox. This flaw stems from uninitialized memory within the Graphics: Canvas2D component, potentially allowing an attacker to access sensitive information. The vulnerability impacts Firefox versions 115.0.0 through 140.*, and a fix is available in Firefox version 150.0.0.
Successful exploitation of CVE-2026-6749 could allow an attacker to read data from memory that has not been properly initialized. While the specific data exposed is not detailed, it could potentially include user data, browser settings, or even parts of the browser's internal state. This information could then be used for further attacks, such as identity theft or privilege escalation. The impact is heightened if the affected Firefox instance is running with elevated privileges or has access to sensitive resources. The Canvas2D component is widely used for rendering graphics and multimedia content, increasing the potential attack surface.
CVE-2026-6749 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code is currently available, but the nature of the vulnerability (uninitialized memory) suggests that exploitation may be possible with moderate effort. The vulnerability has not been added to the CISA KEV catalog as of this writing. Active exploitation campaigns are not currently known.
Exploit Status
EPSS
0.05% (15% percentile)
The primary mitigation for CVE-2026-6749 is to upgrade to Firefox version 150.0.0 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing a Content Security Policy (CSP) to restrict the sources from which scripts can be loaded, potentially limiting the attacker's ability to exploit the vulnerability. Monitor Firefox's memory usage for unusual patterns that might indicate exploitation attempts. While a WAF is unlikely to directly mitigate this vulnerability, it can help detect and block malicious requests targeting the Canvas2D component.
Update to Firefox version 150 or later, Firefox ESR version 115.35 or later, Thunderbird version 150 or later, or Thunderbird version 140.10 or later to mitigate information disclosure due to uninitialized memory in the Canvas2D component.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-6749 is an Information Disclosure vulnerability affecting Firefox versions 115.0.0–140.*. It arises from uninitialized memory in the Graphics: Canvas2D component, potentially allowing attackers to access sensitive data.
You are affected if you are using Firefox versions 115.0.0 through 140.*. Upgrade to Firefox 150.0.0 or later to resolve this vulnerability.
The recommended fix is to upgrade to Firefox version 150.0.0 or later. If immediate upgrading is not possible, consider implementing a Content Security Policy (CSP).
As of now, there are no confirmed reports of active exploitation campaigns targeting CVE-2026-6749, but the vulnerability's nature suggests potential for exploitation.
Refer to the official Mozilla security advisory for CVE-2026-6749 on the Mozilla website: https://www.mozilla.org/en-US/security/advisories/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.