On April 7, 2026 Mozilla published advisory MFSA 2026-25 alongside Firefox 149.0.2, fixing several memory-safety bugs rated as high impact. Some of those bugs showed evidence of memory corruption, which in practice means an attacker with enough effort could end up running arbitrary code inside the browser. There is no sign of in-the-wild exploitation here, but the risk is real and the patch is worth applying soon.
What the advisory fixes
The advisory groups several CVEs. Three of them are the kind of memory-safety bugs that Mozilla’s fuzzing team and other researchers keep finding:
- CVE-2026-5731, CVE-2026-5734 and CVE-2026-5735: high-impact memory-safety bugs. Mozilla notes that some showed evidence of memory corruption and that, with enough effort, they could be exploited to run arbitrary code. Reported by Brian Grinstead, Christian Holler, Tom Schuster and the Mozilla Fuzzing Team.
- CVE-2026-5732: incorrect boundary conditions and an integer overflow in the graphics text component. High impact. Reported by Sajeeb Lohani.
- CVE-2026-5733: incorrect boundary conditions in WebGPU. High impact. Reported by Inseo An.
The pattern is familiar. Most of these bugs ship without a public exploit, but memory corruption in a browser is exactly the kind of flaw that turns into a working attack chain if nobody closes it.
Who is affected
This affects Firefox before version 149.0.2. Since Thunderbird shares much of the Firefox engine, the mail client gets the equivalent fixes too. The ESR branches are covered depending on the bug: CVE-2026-5731, for instance, is also fixed in Firefox ESR 115.34.1 and ESR 140.9.1, plus Thunderbird 149.0.2 and Thunderbird ESR 140.9.1.
If you run a Linux distribution, the Firefox package in your repository or your Flatpak/Snap build should pick up these fixes shortly after release. Check that the installed version is 149.0.2 or later.
How serious it is
Mozilla rates the set as high impact, not critical. That distinction matters: there is no record of active exploitation and no zero-day here. Even so, a memory-safety bug with signs of corruption in the browser process is among the ones you want closed quickly, because the browser handles untrusted web content all day long. A malicious page is enough of an entry point.
What to do
Update to Firefox 149.0.2 (or the matching ESR release) and to Thunderbird 149.0.2. On the desktop, Firefox usually downloads the update in the background; restarting the browser applies it. You can force a check from the menu, under Help, “About Firefox”.
On Linux, update through your usual package manager:
- Debian/Ubuntu:
sudo apt update && sudo apt upgrade firefox(orfirefox-esr). - Fedora:
sudo dnf upgrade firefox. - Arch:
sudo pacman -Syu firefox. - Flatpak:
flatpak update org.mozilla.firefox.
For Thunderbird, follow the same steps with the matching package. Restart the application after updating so the new binary takes effect.
Source
- Mozilla Foundation Security Advisory MFSA 2026-25: https://www.mozilla.org/en-US/security/advisories/mfsa2026-25/