Mozilla Patches Critical Memory Safety Bugs CVE-2026-5731/5734/5735 in Firefox and Thunderbird
Summary
Mozilla released security updates addressing multiple critical memory safety vulnerabilities (CVE-2026-5731, CVE-2026-5734, CVE-2026-5735) in Firefox, Firefox ESR, and Thunderbird with CVSS scores of 9.8. The bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code. Affected versions include Firefox ESR 115.34.0, Firefox ESR 140.9.0, Firefox 149.0.1, Thunderbird ESR 140.9.0, and Thunderbird 149.0.1.
Threat Analysis
Mozilla addressed a cluster of critical memory safety vulnerabilities in its Firefox browser and Thunderbird email client. CVE-2026-5731 affects Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. CVE-2026-5734 affects Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. CVE-2026-5735 affects Firefox 149.0.1 and Thunderbird 149.0.1. All three vulnerabilities carry a CVSS v3 base score of 9.8 (Critical). The bugs involve memory corruption issues that, with sufficient effort, could be exploited to run arbitrary code. Mozilla has released patches via security advisories MFSA2026-25, MFSA2026-26, MFSA2026-27, and MFSA2026-28. These vulnerabilities affect hundreds of millions of Firefox and Thunderbird users worldwide. Mitigations: Update Firefox to version 149.0.2 or later, Firefox ESR to 140.10.0 or 115.35.0, and Thunderbird to the latest patched version. Enterprise administrators should prioritize deployment of these updates given the critical CVSS scores.