Mozilla Product Security Update Advisory

Overview.

Mozilla has released security updates to fix multiple vulnerabilities in Firefox and Thunderbird.
the vulnerabilities include memory safety issues and improper boundary handling issues in several components, including the DOM, WebRTC, Web Codecs, Canvas2D, WebRender, and JavaScript engine.
affected products and versions are generally Firefox and Thunderbird versions below 150 and below the specified ESR patches.

Summary of resolved vulnerabilities and impact.

• CVE-2026-6746: A post-release use vulnerability in the DOM Core & HTML component could lead to remote code execution.
• CVE-2026-6747, CVE-2026-6752, CVE-2026-6753: Post-release use or boundary condition vulnerabilities in the WebRTC component, which could lead to stability and security impacts.
• CVE-2026-6748, CVE-2026-6751: Uninitialized memory vulnerability in Web Codecs, resulting in potential information disclosure or code execution risk.
• CVE-2026-6749: An information disclosure vulnerability due to uninitialized memory in Canvas2D.
• CVE-2026-6750: A privilege escalation vulnerability in the WebRender component.
• CVE-2026-6754: A post-release use vulnerability in the JavaScript engine.
• CVE-2026-6784: Memory safety vulnerability fixed in Firefox 150 and Thunderbird 150.

Patches and Advisories.

• Mozilla has released patches for these vulnerabilities.
• examples of key patched versions are Firefox 150, Firefox ESR 115.35 or 140.10 patch or later, and Thunderbird 150 or 140.10 patch or later.
• environments using affected versions of these products should upgrade to patched versions.

References.

• Links to Mozilla Foundation Security Advisories (MFSA2026-30 through 34) have been made publicly available.