Firefox/Thunderbird unauth RCE via Web Codecs (CVE-2026-6748)

Patch now - CVE-2026-6748 is a critical remote code execution vulnerability in Firefox and Thunderbird versions prior to 150 and 140.10 that grants unauthenticated RCE with no user interaction required via uninitialized memory in the Web Codecs API.

Overview

An uninitialized memory vulnerability in the Audio/Video: Web Codecs component of Firefox and Thunderbird allows an attacker to achieve remote code execution (RCE) without any user interaction. This flaw affects all versions prior to Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.

Vulnerability Details

CVE-2026-6748 carries a CVSS score of 9.8 (Critical) due to its network-based attack vector, low attack complexity, and no requirement for privileges or user interaction. The vulnerability stems from improper memory initialization in the Web Codecs API, which handles audio and video encoding/decoding operations. When processing crafted multimedia content, the browser may read from or write to uninitialized memory regions, potentially leading to arbitrary code execution in the context of the affected application.

Impact

An attacker can exploit this vulnerability by hosting a malicious website or injecting crafted content into a legitimate site. When a victim visits the page, the exploit executes automatically without clicking or user consent. This allows the attacker to:

• Execute arbitrary code on the victim’s system
• Install malware or ransomware
• Steal sensitive data including credentials and cookies
• Take full control of the affected system

The lack of user interaction makes this particularly dangerous for enterprise environments where users regularly browse the web or open emails with HTML content.

Affected Products

• Firefox versions before 150
• Firefox ESR versions before 140.10
• Thunderbird versions before 150
• Thunderbird versions before 140.10

Remediation

Patch Now

Mozilla has released fixes in the following versions:

• Firefox 150
• Firefox ESR 140.10
• Thunderbird 150
• Thunderbird 140.10

Mitigation Steps

1. Update immediately: Apply the latest updates from Mozilla’s official channels.
2. Enable automatic updates: Configure Firefox and Thunderbird to install updates automatically.
3. Restrict web content: For high-security environments, consider disabling JavaScript or using content security policies until patches are applied.
4. Monitor for suspicious activity: Check for unexpected processes or network connections from browser processes.

Security Insight

This vulnerability follows a recurring pattern where multimedia processing APIs become attack surfaces due to memory management issues. Mozilla’s rapid response with coordinated patches across Firefox and Thunderbird demonstrates improved security maturity, but the severity of this flaw suggests that Web Codecs implementations need additional hardening. Organizations should review their browser update policies to ensure critical patches are deployed within 24-48 hours for network-accessible vulnerabilities of this magnitude.

For the latest data breach reports, visit breach reports. For ongoing cybersecurity news, see security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs