Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities

Mozilla has released Firefox 150, addressing 41 security vulnerabilities, including multiple high-severity flaws that could allow remote code execution (RCE).

The update focuses heavily on fixing memory safety issues such as use-after-free and uninitialized memory bugs, which are commonly exploited by attackers to gain control over systems.

Security experts strongly recommend users update immediately, as several of these vulnerabilities can be triggered through malicious web content, making them highly exploitable in real-world scenarios.

Critical Vulnerabilities Overview

Among the most severe issues are two high-risk use-after-free vulnerabilities:

• CVE-2026-6746 in the DOM (Core & HTML) component
• CVE-2026-6747 in the WebRTC component

These flaws occur when freed memory is accessed incorrectly, potentially enabling attackers to execute arbitrary code or crash the browser.

Such bugs are particularly dangerous because they can be exploited simply by convincing a user to visit a malicious webpage.

Other high-severity vulnerabilities include memory corruption issues in Web Codecs, Canvas2D, and WebRender, as well as privilege escalation flaws that could allow attackers to break out of browser sandboxes.

Interestingly, Mozilla noted that security researchers used AI tools, including Anthropic’s Claude, to help identify some of these complex vulnerabilities, highlighting the growing role of AI in vulnerability research.

CVE ID	Vulnerability Description	Impact
CVE-2026-6746	Use-after-free in the DOM: Core & HTML component	High
CVE-2026-6747	Use-after-free in the WebRTC component	High
CVE-2026-6748	Uninitialized memory in the Audio/Video: Web Codecs component	High
CVE-2026-6749	Information disclosure due to uninitialized memory in Graphics: Canvas2D	High
CVE-2026-6750	Privilege escalation in the Graphics: WebRender component	High
CVE-2026-6751	Uninitialized memory in the Audio/Video: Web Codecs component	High
CVE-2026-6752	Incorrect boundary conditions in the WebRTC component	High
CVE-2026-6753	Incorrect boundary conditions in the WebRTC component	High
CVE-2026-6754	Use-after-free in the JavaScript Engine component	High
CVE-2026-6755	Mitigation bypass in the DOM: postMessage component	Moderate
CVE-2026-6756	Mitigation bypass in Firefox for Android	Moderate
CVE-2026-6757	Invalid pointer in the JavaScript: WebAssembly component	Moderate
CVE-2026-6758	Use-after-free in the JavaScript: WebAssembly component	Moderate
CVE-2026-6759	Use-after-free in the Widget: Cocoa component	Moderate
CVE-2026-6760	Mitigation bypass in the Networking: Cookies component	Moderate
CVE-2026-6761	Privilege escalation in the Networking component	Moderate
CVE-2026-6762	Spoofing issue in the DOM: Core & HTML component	Moderate
CVE-2026-6763	Mitigation bypass in the File Handling component	Moderate
CVE-2026-6764	Incorrect boundary conditions in the DOM: Device Interfaces component	Moderate
CVE-2026-6765	Information disclosure in the Form Autofill component	Moderate
CVE-2026-6766	Incorrect boundary conditions in the Libraries component in NSS	Moderate
CVE-2026-6767	Other issue in the Libraries component in NSS	Moderate
CVE-2026-6768	Mitigation bypass in the Networking: Cookies component	Moderate
CVE-2026-6769	Privilege escalation in the Debugger component	Moderate
CVE-2026-6770	Other issue in the Storage: IndexedDB component	Moderate
CVE-2026-6771	Mitigation bypass in the DOM: Security component	Moderate
CVE-2026-6772	Incorrect boundary conditions in the Libraries component in NSS	Moderate
CVE-2026-6773	Denial-of-service due to integer overflow in Graphics: WebGPU	Low
CVE-2026-6774	Mitigation bypass in the DOM: Security component	Low
CVE-2026-6775	Incorrect boundary conditions in the WebRTC component	Low
CVE-2026-6776	Incorrect boundary conditions in the WebRTC: Networking component	Low
CVE-2026-6777	Other issue in the Networking: DNS component	Low
CVE-2026-6778	Invalid pointer in the Audio/Video: Playback component	Low
CVE-2026-6779	Other issue in the JavaScript Engine component	Low
CVE-2026-6780	Denial-of-service in the Audio/Video: Playback component	Low
CVE-2026-6781	Denial-of-service in the Audio/Video: Playback component	Low
CVE-2026-6782	Information disclosure in the IP Protection component	Low
CVE-2026-6783	Incorrect boundary conditions/integer overflow in Audio/Video: Playback	Low
CVE-2026-6784	Memory safety bugs fixed in Firefox 150 and Thunderbird 150	High
CVE-2026-6785	Memory safety bugs fixed in ESR 115.35, ESR 140.10, and Firefox 150	High
CVE-2026-6786	Memory safety bugs fixed in ESR 140.10 and Firefox 150	High

Users should update to Firefox 150 immediately via the browser’s automatic update feature or by downloading the latest version from Mozilla’s official site.

Organizations are advised to prioritize patch deployment, especially in environments where browsers are frequently exposed to untrusted content.

This release highlights the continued risk posed by memory safety issues and the importance of rapid patching to defend against evolving web-based attacks.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Firefox 150 Released With Fixes for Multiple Code Execution Vulnerabilities appeared first on Cyber Security News.