CVE-2026-5734

Description

Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE

Firefox ESR 140.9.0

Thunderbird ESR 140.9.0

Firefox 149.0.1

Thunderbird 149.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
// PoC for CVE-2026-5734 Memory Corruption
// This is a conceptual trigger for demonstration.
-->
<!DOCTYPE html>
<html>
<head>
    <title>CVE-2026-5734 PoC</title>
</head>
<body>
<script>
    // Attempt to trigger memory corruption in vulnerable versions
    function triggerVuln() {
        try {
            // Allocate large buffer to stress memory
            var size = 0x10000;
            var arr = new Array(size);
            
            // Fill buffer with pattern
            for (var i = 0; i < size; i++) {
                arr[i] = new Uint8Array(1024);
            }
            
            // Specific manipulation to cause corruption (Hypothetical)
            // Exploit depends on specific Bugzilla IDs mentioned in advisory
            var obj = {};
            obj.prop = arr;
            
            // Force access
            console.log("Object size: " + JSON.stringify(obj).length);
            
        } catch (e) {
            console.log("Exception caught: " + e.message);
        }
    }
    triggerVuln();
</script>
</body>
</html>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-5734
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-5734
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-5734/
[4] VulDB https://vuldb.com/cve/CVE-2026-5734
[5] https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022369%2C2023026%2C2023545%2C2023555%2C2023958%2C2025422%2C2025468%2C2025492%2C2025505
[6] https://www.mozilla.org/security/advisories/mfsa2026-25/
[7] https://www.mozilla.org/security/advisories/mfsa2026-27/
[8] https://www.mozilla.org/security/advisories/mfsa2026-28/
[9] https://www.mozilla.org/security/advisories/mfsa2026-29/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-5734", "sourceIdentifier": "[email protected]", "published": "2026-04-07T13:16:47.667", "lastModified": "2026-04-13T15:17:46.820", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 149.0.2, Firefox ESR 140.9.1, Thunderbird 149.0.2, and Thunderbird 140.9.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-120"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.9.1", "matchCriteriaId": "68770777-CF92-4F1C-A7FB-874344D23D39"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0.2", "matchCriteriaId": "CF910B3C-C241-48B5-9066-260750E8E7ED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.9.1", "matchCriteriaId": "2D9A64DA-C9F4-4EFC-A3C8-84C442DD4B6A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "149.0.2", "matchCriteriaId": "5FB6BDEF-D9FC-4C5C-9098-03DCA98223D3"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=2022369%2C2023026%2C2023545%2C2023555%2C2023958%2C2025422%2C2025468%2C2025492%2C2025505", "source": "[email protected]", "tags": ["Broken Link", "Issue Tracking"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-25/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-27/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-28/", "source": "[email protected]"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-29/", "source": "[email protected]"}]}}