プラットフォーム
firefox
コンポーネント
firefox-core-html-component
修正版
150.0.0
150.0.0
CVE-2026-6746 describes a use-after-free vulnerability discovered in the Firefox Core and HTML components. This type of vulnerability can lead to unexpected application crashes or, more critically, allow an attacker to execute arbitrary code. The vulnerability affects Firefox versions 115.0.0 through 140.* and has been resolved in Firefox 150.0.0, Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
A use-after-free vulnerability occurs when a program attempts to access memory that has already been freed. In the context of Firefox, this could allow an attacker to craft a malicious web page that, when visited by a user, triggers the vulnerability. Successful exploitation could lead to a denial-of-service (DoS) by crashing the browser, or, more seriously, allow the attacker to execute arbitrary code within the context of the user's browser session. This could enable the attacker to steal sensitive data, install malware, or take control of the user's system. The impact is amplified if the user has elevated privileges or access to sensitive information.
CVE-2026-6746 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the use-after-free nature of the vulnerability makes it a potential target for exploitation. The EPSS score is pending evaluation. It is not currently listed on the CISA KEV catalog.
Users of Firefox and Thunderbird within the affected version range (115.0.0–140.*) are at risk. This includes individuals, businesses, and organizations that rely on these browsers for web browsing and email communication. Users who frequently visit untrusted websites or download files from unknown sources are at higher risk.
• firefox: Monitor Firefox process memory for unexpected crashes or errors related to memory allocation. Use memory debugging tools to identify potential use-after-free conditions. • generic web: Inspect browser console for JavaScript errors related to memory access. Analyze network traffic for suspicious requests or responses. • linux / server: Use tools like Valgrind to profile Firefox's memory usage and detect memory errors during runtime. Examine system logs for crash reports or unusual activity related to Firefox.
disclosure
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
The primary mitigation for CVE-2026-6746 is to upgrade to a patched version of Firefox or Thunderbird. Specifically, upgrade to Firefox 150.0.0 or later, Firefox ESR 115.35 or later, Firefox ESR 140.10 or later, Thunderbird 150 or later, or Thunderbird 140.10 or later. If immediate upgrading is not possible, consider implementing stricter content security policies (CSP) to limit the potential attack surface. While not a direct fix, CSP can restrict the resources a page can load, potentially hindering exploitation. Monitor network traffic for unusual patterns or connections that might indicate exploitation attempts. After upgrading, confirm the fix by visiting a known safe website and verifying that the browser version reflects the patched version.
Actualice a Firefox versión 150 o posterior, Firefox ESR versión 115.35 o posterior, Firefox ESR versión 140.10 o posterior, Thunderbird versión 150 o posterior, o Thunderbird versión 140.10 o posterior para mitigar esta vulnerabilidad de uso tras la liberación en la memoria.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-6746 is a use-after-free vulnerability affecting Firefox Core and HTML components, potentially leading to crashes or code execution. It impacts versions 115.0.0–140.* and is fixed in Firefox 150.0.0 and later.
You are affected if you are using Firefox or Thunderbird versions 115.0.0 through 140.*. Check your browser version and upgrade if necessary.
Upgrade to Firefox 150.0.0 or later, Firefox ESR 115.35 or later, Firefox ESR 140.10 or later, Thunderbird 150 or later, or Thunderbird 140.10 or later.
No public exploits are currently known, but the vulnerability's nature makes it a potential target.
Refer to the official Mozilla security advisory page for details: https://www.mozilla.org/en-US/security/advisories/