Zero-Day Security Alert — April 7, 2026: Firefox and Thunderbird Critical Memory Safety Vulnerabilities

CVE-2026-5734 and CVE-2026-5735: Critical memory safety vulnerabilities in Mozilla Firefox (before 149.0.2) and Thunderbird with CVSS 9.8 scores. Evidence of memory corruption suggests exploitability for arbitrary code execution. Update all Firefox and Thunderbird installations immediately.

Daily Security Briefing

April 7, 2026

CVE-2026-5734 | CVSS 9.8 | CRITICAL Severity | No Known Active Exploitation

Affected Product

Mozilla Firefox < 149.0.2, Firefox ESR < 140.9.1, Thunderbird < 149.0.2, Thunderbird ESR < 140.9.1

Description

Multiple memory safety bugs were identified in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption, and Mozilla presumes that with sufficient effort, some could be exploited to achieve arbitrary code execution. The underlying weakness is classified as CWE-787 (Out-of-bounds Write).

Attack Vector

Network-based. The attack requires low complexity with no privileges and no user interaction, yielding high impact to confidentiality, integrity, and availability. An attacker could deliver a specially crafted web page or email content to trigger the memory corruption.

Remediation

Update Firefox to version 149.0.2 or later, Firefox ESR to version 140.9.1 or later, Thunderbird to version 149.0.2 or later, and Thunderbird ESR to version 140.9.1 or later. See Mozilla advisories MFSA2026-25, MFSA2026-27, MFSA2026-28, and MFSA2026-29 for details.

CISA Remediation Due Date: N/A

CVE-2026-5735 | CVSS 9.8 | CRITICAL Severity | No Known Active Exploitation

Affected Product

Mozilla Firefox < 149.0.2, Thunderbird < 149.0.2

Description

Additional memory safety bugs were found exclusively in Firefox 149.0.1 and Thunderbird 149.0.1 (not affecting the ESR channel). These bugs also showed evidence of memory corruption with presumed exploitability for arbitrary code execution. This is a separate set of bugs from CVE-2026-5734 and is classified under CWE-787 (Out-of-bounds Write).

Attack Vector

Network-based. Low complexity, no privileges required, no user interaction needed. High impact across confidentiality, integrity, and availability. Exploitation would likely involve visiting a malicious webpage or processing crafted email content in Thunderbird.

Remediation

Update Firefox to version 149.0.2 or later and Thunderbird to version 149.0.2 or later. See Mozilla advisory MFSA2026-25 and MFSA2026-28 for details.

CISA Remediation Due Date: N/A

This report is generated automatically from NVD and CISA KEV data.