Firefox & Thunderbird RCE (CVE-2026-5735)

Patch now - CVE-2026-5735 is a critical memory corruption vulnerability in Mozilla Firefox and Thunderbird before 149.0.2 that grants remote attackers arbitrary code execution over the network with no user interaction.

Overview

Multiple memory safety bugs in Mozilla Firefox and Thunderbird have been patched in CVE-2026-5735. These flaws, present in versions before 149.0.2, could lead to memory corruption. Mozilla presumes that with sufficient effort, an attacker could exploit this corruption to run arbitrary code on a target system.

Vulnerability Details

This is a critical-severity memory corruption vulnerability. The flaws reside in the browser and email client’s core code, where improper memory operations can corrupt the application’s state. The CVSS v3.1 score of 9.8 reflects the worst-case scenario: an attack can be launched over a network with low complexity, requires no privileges, and needs no interaction from the user beyond visiting a malicious website or opening a specially crafted email.

Impact

Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the victim’s computer. This would occur with the same permissions as the user running Firefox or Thunderbird. An attacker could then install malware, steal sensitive data, or create a persistent foothold on the system. The combination of remote, no-interaction exploitation makes this a high-priority threat for all users.

Remediation and Mitigation

The only complete mitigation is to update the affected software immediately.

For Firefox Users:

• Open Firefox, click the menu button (three horizontal lines), and select “Help” > “About Firefox.”
• Firefox will check for updates and prompt you to restart. Ensure your version is 149.0.2 or newer.

For Thunderbird Users:

• Open Thunderbird, click the menu button (three horizontal lines), and select “Help” > “About Thunderbird.”
• The client will check for updates. Ensure your version is 149.0.2 or newer.

Organizations should deploy these updates through their standard patch management systems as a critical priority. Until patches are applied, consider restricting access to untrusted web content and email. For the latest on active threats, monitor our security news feed.

Security Insight

This advisory highlights the persistent threat of memory corruption in foundational software like browsers, which remain a primary target for attackers. The pattern of bundling multiple memory safety fixes into a single critical CVE mirrors Mozilla’s response to the infamous “MFSA 2020-03” group of vulnerabilities, which were also widely exploited. It underscores the ongoing industry challenge of securing complex C++ codebases against such fundamental flaws.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs