{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6757", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:40:52.634Z", "datePublished": "2026-04-21T12:40:52.961Z", "dateUpdated": "2026-04-21T23:34:49.159Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "140.10", "lessThanOrEqual": "140.*", "versionType": "rpm"}, {"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}]}], "title": "Invalid pointer in the JavaScript: WebAssembly component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013588"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "credits": [{"lang": "en", "value": "Evyatar Ben Asher, Keane Lucas, Nicholas Carlini, Newton Cheng, Daniel Freeman, Alex Gaynor, and Joel Weinberger using Claude from Anthropic"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:34:49.159Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Invalid pointer in the JavaScript: WebAssembly component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10."}], "id": "CVE-2026-6757", "lastModified": "2026-04-22T00:16:31.597", "metrics": {}, "published": "2026-04-21T13:16:21.690", "references": [{"source": "security@mozilla.org", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2013588"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-32/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-34/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Undergoing Analysis"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[140.10,140.*]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T03:18:28.667926+00:00", "value": {"mitigation_remediation": ["Upgrade to Firefox 150 or later, or to Firefox ESR 140.10 or later if using the ESR branch.", "Enable automatic updates to receive future security patches promptly.", "If upgrade is not immediately feasible, disable WebAssembly in the browser or block untrusted WebAssembly code using extensions or enterprise policies."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox is affected. Versions prior to 150 in the main release and prior to 140.10 in the ESR line contain the vulnerability.", "description_and_impact": "An invalid pointer within the JavaScript WebAssembly component may allow an attacker to exploit memory corruption, potentially leading to unauthorized code execution or system compromise. The flaw is a direct memory access error that bypasses usual bounds checks.", "risk_and_exploitability": "The CVSS score is not provided but the flaw permits remote execution with no known mitigations. No EPSS data is available, and the vulnerability is not yet listed in CISA\u2019s KEV catalog, indicating no known widespread exploitation, yet the lack of enterprise-wide patches means users remain at risk. Without active updates, an attacker could send crafted WebAssembly data to trigger the invalid pointer."}}}}, "created": "2026-04-21T17:15:25.103990+00:00", "updated": "2026-04-22T03:30:06.681712+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"], "weaknesses": ["CWE-119", "CWE-416"]}