Firefox & Thunderbird Critical RCE (CVE-2026-5731)

Patch now - CVE-2026-5731 is a critical memory corruption in Firefox prior to 149.0.2 and Thunderbird prior to 149.0.2 that grants unauthenticated remote code execution over the network. Exploitation requires no user interaction, making patching to version 149.0.2 or later essential.

Overview

CVE-2026-5731 is a critical memory safety vulnerability affecting multiple versions of Mozilla Firefox and Thunderbird. The flaw stems from memory corruption bugs that could be exploited to run arbitrary code on a victim’s system.

Affected Products

The vulnerability impacts a wide range of versions. You are affected if you are running:

• Firefox versions prior to 149.0.2
• Firefox ESR versions prior to 115.34.1
• Firefox ESR versions prior to 140.9.1
• Thunderbird versions prior to 149.0.2
• Thunderbird ESR versions prior to 140.9.1

Technical Impact

This is a network-based attack with a CVSS score of 9.8 (Critical). An attacker could exploit these memory corruption flaws without any user interaction-such as clicking a link-and without needing any special privileges. Successful exploitation could allow an attacker to execute arbitrary code on the target system, potentially leading to a complete compromise. This could result in data theft, installation of malware, or use of the system for further attacks.

Remediation

Immediate patching is the only complete mitigation.

1. Update Your Software: All users must update to the latest patched versions.

   • Update Firefox to version 149.0.2 or later.
   • Update Firefox ESR to version 115.34.1, 140.9.1, or later.
   • Update Thunderbird to version 149.0.2 or later.
   • Update Thunderbird ESR to version 140.9.1 or later.

2. Enable Automatic Updates: Ensure automatic updates are enabled in your browser and email client settings to receive future security fixes promptly.

3. Verify Version: Confirm the update was successful by checking “About Firefox” or “About Thunderbird” in the application’s menu. The version number should match or exceed those listed above.

For organizations managing deployments, expedite the rollout of these updated packages. There are no known effective workarounds for this vulnerability, making the update imperative.

Security Insight

This advisory highlights the persistent threat of memory corruption in complex, widely-used software like browsers. The high CVSS score, driven by the “no interaction required” vector, underscores a shift towards more dangerous exploit patterns that bypass user awareness as a defense. For ongoing analysis of such threats, monitor our security news feed.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs