Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities - cyberpress.org

Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities By AnuPriya April 22, 2026 Categories: Cyber Security News Mozilla has released Firefox 150, addressing 41 security vulnerabilities, including multiple high-severity flaws that could allow remote code execution (RCE). The update focuses heavily on fixing memory safety issues such as use-after-free and uninitialized memory bugs, which are commonly exploited by attackers to gain control over systems. Security experts strongly recommend users update immediately, as several of these vulnerabilities can be triggered through malicious web content, making them highly exploitable in real-world scenarios. Critical Vulnerabilities Overview Among the most severe issues are two high-risk use-after-free vulnerabilities: CVE-2026-6746 in the DOM (Core & HTML) component CVE-2026-6747 in the WebRTC component These flaws occur when freed memory is accessed incorrectly, potentially enabling attackers to execute arbitrary code or crash the browser. Such bugs are particularly dangerous because they can be exploited simply by convincing a user to visit a malicious webpage. Other high-severity vulnerabilities include memory corruption issues in Web Codecs, Canvas2D, and WebRender, as well as privilege escalation flaws that could allow attackers to break out of browser sandboxes. Interestingly, Mozilla noted that security researchers used AI tools, including Anthropic’s Claude, to help identify some of these complex vulnerabilities, highlighting the growing role of AI in vulnerability research. CVE ID Vulnerability Description Impact CVE-2026-6746 Use-after-free in the DOM: Core & HTML component High  CVE-2026-6747 Use-after-free in the WebRTC component High  CVE-2026-6748 Uninitialized memory in the Audio/Video: Web Codecs component High  CVE-2026-6749 Information disclosure due to uninitialized memory in Graphics: Canvas2D High  CVE-2026-6750 Privilege escalation in the Graphics: WebRender component High  CVE-2026-6751 Uninitialized memory in the Audio/Video: Web Codecs component High  CVE-2026-6752 Incorrect boundary conditions in the WebRTC component High  CVE-2026-6753 Incorrect boundary conditions in the WebRTC component High  CVE-2026-6754 Use-after-free in the JavaScript Engine component High  CVE-2026-6755 Mitigation bypass in the DOM: postMessage component Moderate  CVE-2026-6756 Mitigation bypass in Firefox for Android Moderate  CVE-2026-6757 Invalid pointer in the JavaScript: WebAssembly component Moderate  CVE-2026-6758 Use-after-free in the JavaScript: WebAssembly component Moderate  CVE-2026-6759 Use-after-free in the Widget: Cocoa component Moderate  CVE-2026-6760 Mitigation bypass in the Networking: Cookies component Moderate  CVE-2026-6761 Privilege escalation in the Networking component Moderate  CVE-2026-6762 Spoofing issue in the DOM: Core & HTML component Moderate  CVE-2026-6763 Mitigation bypass in the File Handling component Moderate  CVE-2026-6764 Incorrect boundary conditions in the DOM: Device Interfaces component Moderate  CVE-2026-6765 Information disclosure in the Form Autofill component Moderate  CVE-2026-6766 Incorrect boundary conditions in the Libraries component in NSS Moderate  CVE-2026-6767 Other issue in the Libraries component in NSS Moderate  CVE-2026-6768 Mitigation bypass in the Networking: Cookies component Moderate  CVE-2026-6769 Privilege escalation in the Debugger component Moderate  CVE-2026-6770 Other issue in the Storage: IndexedDB component Moderate  CVE-2026-6771 Mitigation bypass in the DOM: Security component Moderate  CVE-2026-6772 Incorrect boundary conditions in the Libraries component in NSS Moderate  CVE-2026-6773 Denial-of-service due to integer overflow in Graphics: WebGPU Low  CVE-2026-6774 Mitigation bypass in the DOM: Security component Low  CVE-2026-6775 Incorrect boundary conditions in the WebRTC component Low  CVE-2026-6776 Incorrect boundary conditions in the WebRTC: Networking component Low  CVE-2026-6777 Other issue in the Networking: DNS component Low  CVE-2026-6778 Invalid pointer in the Audio/Video: Playback component Low  CVE-2026-6779 Other issue in the JavaScript Engine component Low  CVE-2026-6780 Denial-of-service in the Audio/Video: Playback component Low  CVE-2026-6781 Denial-of-service in the Audio/Video: Playback component Low  CVE-2026-6782 Information disclosure in the IP Protection component Low  CVE-2026-6783 Incorrect boundary conditions/integer overflow in Audio/Video: Playback Low  CVE-2026-6784 Memory safety bugs fixed in Firefox 150 and Thunderbird 150 High  CVE-2026-6785 Memory safety bugs fixed in ESR 115.35, ESR 140.10, and Firefox 150 High  CVE-2026-6786 Memory safety bugs fixed in ESR 140.10 and Firefox 150 High  Users should update to Firefox 150 immediately via the browser’s automatic update feature or by downloading the latest version from Mozilla’s official site. Organizations are advised to prioritize patch deployment, especially in environments where browsers are frequently exposed to untrusted content. This release highlights the continued risk posed by memory safety issues and the importance of rapid patching to defend against evolving web-based attacks. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google Share Facebook Twitter Pinterest WhatsApp AnuPriya Any Priya is a cybersecurity reporter at Cyber Press, specializing in cyber attacks, dark web monitoring, data breaches, vulnerabilities, and malware. She delivers in-depth analysis on emerging threats and digital security trends. Recent Articles DAEMON Tools Breach Used to Spread Malware in Supply Chain Attack Cyber Security News May 5, 2026 Critical Weaver E-cology RCE Flaw Actively Exploited by Attackers Cyber Security News May 5, 2026 ScarCruft Supply Chain Attack Targets Gaming Platform Users APT May 5, 2026 Cisco Acquires Astrix Security to Boost AI Agent and Machine Identity Protection Cyber Security News May 5, 2026 WhatsApp Flaw Lets Attackers Use Instagram Reels to Trigger Malicious URLs Cyber Security News May 5, 2026 Related Stories Cyber Security News DAEMON Tools Breach Used to Spread Malware in Supply Chain Attack AnuPriya - May 5, 2026 Cyber Security News Critical Weaver E-cology RCE Flaw Actively Exploited by Attackers AnuPriya - May 5, 2026 APT ScarCruft Supply Chain Attack Targets Gaming Platform Users Varshini - May 5, 2026 Cyber Security News Cisco Acquires Astrix Security to Boost AI Agent and Machine Identity Protection AnuPriya - May 5, 2026 Cyber Security News WhatsApp Flaw Lets Attackers Use Instagram Reels to Trigger Malicious URLs AnuPriya - May 5, 2026 APT SHADOW-EARTH-053 Deploys ShadowPad Through Exchange Server Exploits Varshini - May 5, 2026 LEAVE A REPLY Comment: Name:* Email:* Website: