Mozilla released Firefox 150 on April 21, 2026, patching 41 security vulnerabilities

Mozilla released Firefox 150 on April 21, 2026, patching 41 security vulnerabilities, including 9 rated High severity, spanning critical browser components such as DOM, WebRTC, JavaScript Engine, Web Codecs, and Graphics.

The sweeping update, covered under Mozilla Foundation Security Advisory (MFSA) 2026-30, also extends fixes to Firefox ESR 115.35, Firefox ESR 140.10, Thunderbird 140.10, and Thunderbird 150, making it one of the most significant browser security releases of 2026.

Security professionals and everyday users alike must treat this update as urgent: several of the patched flaws involve use-after-free and uninitialized memory vulnerabilities that could allow attackers to execute arbitrary code on vulnerable systems simply by luring a victim to a malicious webpage.

The comprehensive breakdown of all Common Vulnerabilities and Exposures (CVEs) addressed in Firefox 150 is detailed below.

All users running Firefox versions before 150, Firefox ESR before 115.35 or 140.10, Thunderbird before 140.10 or 150, and Firefox for Android are vulnerable.

To update Firefox, navigate to Menu → Help → About Firefox, and the browser will auto-detect and apply the update. Enterprise administrators managing large deployments should prioritize this patch within their standard update cycles, particularly given the potential for privilege escalation and arbitrary code execution posed by the high-severity CVEs.

Notably, Thunderbird users should be aware that while most of these flaws cannot be triggered directly via email (since scripting is disabled when reading mail), they remain exploitable in browser-like rendering contexts such as embedded HTML or calendar attachments.

FAQ

Q1: Is Firefox 150 actively exploited in the wild? 

Mozilla has not confirmed active exploitation, but the severity and exploit potential of the use-after-free CVEs make rapid patching critical before threat actors develop working exploits.

Q2: Does this affect Firefox for Android users? 

Yes, CVE-2026-6756 specifically targets Firefox for Android as a mitigation bypass flaw rated moderate severity, requiring Android users to update via the Google Play Store.

Q3: Are Firefox ESR users protected if they update to ESR 140.10 or ESR 115.35? 

Yes, both ESR branches received the applicable subset of patches from this advisory, including the critical memory safety bugs covered under CVE-2026-6785 and CVE-2026-6786.

Q4: Did AI tools play a role in finding these vulnerabilities? 

Yes, CVE-2026-6746, CVE-2026-6757, and CVE-2026-6758 were all discovered by a research team that used Anthropic’s Claude AI model as part of their security research methodology, marking a notable milestone in AI-assisted vulnerability discovery.

The 9 high-severity CVEs pose a risk of arbitrary code execution or privilege escalation, making Firefox 150 the most security-critical Firefox release in recent history. All users should immediately update to Firefox 150, Firefox ESR 115.35, or Firefox ESR 140.10 to mitigate exposure.

Site: https://thecybrdef.com

About the Author

John

Author

John is an independent cybersecurity researcher covering vulnerabilities, malware campaigns, and emerging threats in the cybersecurity landscape.

Visit Website View All Posts