Mozilla released Firefox 150 on April 21, 2026, addressing 40+ security vulnerabilities, including multiple high-severity code-execution flaws spanning the browser’s JavaScript engine, WebRTC, DOM components, and memory subsystems.
The update, published under Mozilla Foundation Security Advisory (MFSA) 2026-30, carries an overall impact rating of high and marks one of the most comprehensive security patches in recent Firefox history.
The release also coincides with maintenance updates for long-term support branches Firefox ESR 140.10 and Firefox ESR 115.35.
| CVE ID | Vulnerability Type | Component |
|---|---|---|
| CVE-2026-6746 | Use-after-free | DOM: Core & HTML |
| CVE-2026-6747 | Use-after-free | WebRTC |
| CVE-2026-6748 | Uninitialized memory | Audio/Video: Web Codecs |
| CVE-2026-6749 | Information disclosure (uninitialized memory) | Graphics: Canvas2D |
| CVE-2026-6750 | Privilege escalation | Graphics: WebRender |
| CVE-2026-6751 | Uninitialized memory | Audio/Video: Web Codecs |
| CVE-2026-6752 | Incorrect boundary conditions | WebRTC |
| CVE-2026-6753 | Incorrect boundary conditions | WebRTC |
| CVE-2026-6754 | Use-after-free | JavaScript Engine |
| CVE-2026-6784 | Memory safety bugs | Firefox 150 / Thunderbird 150 |
| CVE-2026-6785 | Memory safety bugs | Firefox ESR 115.35 / ESR 140.10 / Firefox 150 |
| CVE-2026-6786 | Memory safety bugs | Firefox ESR 140.10 / Firefox 150 |
| CVE-2026-6755 | Mitigation bypass | DOM: postMessage |
| CVE-2026-6756 | Mitigation bypass | Firefox for Android |
| CVE-2026-6757 | Invalid pointer | JavaScript: WebAssembly |
| CVE-2026-6758 | Use-after-free | JavaScript: WebAssembly |
| CVE-2026-6759 | Use-after-free | Widget: Cocoa |
| CVE-2026-6760 | Mitigation bypass | Networking: Cookies |
| CVE-2026-6761 | Privilege escalation | Networking |
| CVE-2026-6762 | Spoofing issue | DOM: Core & HTML |
| CVE-2026-6763 | Mitigation bypass | File Handling |
| CVE-2026-6764 | Incorrect boundary conditions | DOM: Device Interfaces |
| CVE-2026-6765 | Information disclosure | Form Autofill |
| CVE-2026-6766 | Incorrect boundary conditions | Libraries (NSS) |
| CVE-2026-6767 | Other issue | Libraries (NSS) |
| CVE-2026-6768 | Mitigation bypass | Networking: Cookies |
| CVE-2026-6769 | Privilege escalation | Debugger |
| CVE-2026-6770 | Other issue | Storage: IndexedDB |
| CVE-2026-6771 | Mitigation bypass | DOM: Security |
| CVE-2026-6772 | Incorrect boundary conditions | Libraries (NSS) |
| CVE-2026-6773 | Denial-of-service (integer overflow) | Graphics: WebGPU |
| CVE-2026-6774 | Mitigation bypass | DOM: Security |
| CVE-2026-6775 | Incorrect boundary conditions | WebRTC |
| CVE-2026-6776 | Incorrect boundary conditions | WebRTC: Networking |
| CVE-2026-6777 | Other issue | Networking: DNS |
| CVE-2026-6778 | Invalid pointer | Audio/Video: Playback |
| CVE-2026-6779 | Other issue | JavaScript Engine |
| CVE-2026-6780 | Denial-of-service | Audio/Video: Playback |
| CVE-2026-6781 | Denial-of-service | Audio/Video: Playback |
| CVE-2026-6782 | Information disclosure | IP Protection |
| CVE-2026-6783 | Incorrect boundary conditions / integer overflow | Audio/Video: Playback |
According to Firefox, a remote attacker could exploit these vulnerabilities by enticing a user to open a specially crafted web page, making browser updates critical for all users.
Mozilla urges all Firefox users on versions before 150 to update immediately via Help → About Firefox or by downloading directly from mozilla.org. Firefox 151 is currently in beta with a scheduled release of May 19, 2026.
No Comment! Be the first one.