Home / Vulnerability Intelligence / CVE-2026-5731

CVE-2026-5731 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 7, 2026

Mozilla Firefox & Thunderbird - Remote Code Execution

Published: April 7, 2026Updated: April 7, 2026Remote Exploitable

Overview

Mozilla Firefox ESR 115.34.0, 140.9.0, Firefox 149.0.1, and Thunderbird ESR 140.9.0, 149.0.1 contain memory safety bugs caused by memory corruption, letting attackers potentially execute arbitrary code, exploit requires no special conditions.

Severity & Score

Severity: Critical

CVSS Score: 9.8

Impact

Attackers can exploit memory corruption to execute arbitrary code, potentially leading to full system compromise.

Mitigation

Update to Firefox 149.0.2, Firefox ESR 115.34.1, Firefox ESR 140.9.1 or later versions.

References

https://www.mozilla.org/security/advisories/mfsa2026-25/
https://www.mozilla.org/security/advisories/mfsa2026-26/
https://www.mozilla.org/security/advisories/mfsa2026-27/
https://www.mozilla.org/security/advisories/mfsa2026-28/
https://www.mozilla.org/security/advisories/mfsa2026-29/
https://bugzilla.mozilla.org/buglist.cgi?bug_id=2021894%2C2022225%2C2022252%2C2022294%2C2023007%2C2023130%2C2023191%2C2023364%2C2023829%2C2024074%2C2024417%2C2024433%2C2024436%2C2024437%2C2024453%2C2024461%2C2024462%2C2024472%2C2024474%2C2024477%2C2025364%2C2025401%2C2025402%2C2025472%2C2026287%2C2026299%2C2026305%2C2026426

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-5731
Severity: Critical
CVSS Score: 9.8
Type: buffer_overflow
Status: unconfirmed

CWE

CWE-119

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H