Mozilla fixes high-severity Firefox and Thunderbird flaws in Firefox 150 and ESR updates
Mozilla released Firefox 150 and updated Firefox ESR branches to address multiple security vulnerabilities, prompting downstream advisories from Debian and the Canadian Centre for Cyber Security. The fixes cover Firefox versions prior to 150, Firefox ESR versions prior to 140.10 and 115.35, and include vulnerabilities tracked as CVE-2026-6768, CVE-2026-6784, CVE-2026-6785, and CVE-2026-6786. CVE-2026-6768 was described as a mitigation bypass in Firefox’s Networking: Cookies component and was assigned a CVSS 9.8 score, indicating potentially severe impact if left unpatched.
Mozilla also shipped related security fixes in Thunderbird 150, which uses Firefox’s web engine and addressed issues including a clickjacking and information disclosure flaw referenced in the Firefox advisories. Alongside the security patches, Mozilla’s releases included broad product updates such as privacy and platform changes in Firefox and improved encrypted-message search and OpenPGP features in Thunderbird. Government and Linux distribution advisories urged users and administrators to review Mozilla’s bulletins and apply the latest browser and mail client updates promptly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Thunderbird 150 released with security patches and feature updates
Thunderbird 150.0 was released with new features, bug fixes, and security patches affecting its web engine, including fixes tied to Firefox advisories. The release added encrypted message search, OpenPGP signature improvements, and PDF viewer enhancements.
CVE-2026-6768 record updated with CVSS and CWE details
The CVE record for CVE-2026-6768 was updated to add a CVSS v3.1 vector, classify the weakness as CWE-288, and include references to a Mozilla Bugzilla entry and MFSA2026-30.
Mozilla releases Firefox 150 and Firefox ESR security updates
Mozilla published security advisories for Firefox versions prior to 150, Firefox ESR versions prior to 140.10, and Firefox ESR versions prior to 115.35, and made the corresponding updates available. The fixes included vulnerabilities such as CVE-2026-6768, which was addressed in Firefox 150.
Debian releases firefox-esr security update DSA 6202-1
Debian published security advisory DSA 6202-1 for firefox-esr, announcing a security update for the package.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Mozilla security advisory (AV26-372) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-6768 - Mitigation bypass in the Networking: Cookies component
cvefeed.io
Open sourceThunderbird 150 arrives with encrypted message search and OpenPGP improvements - Help Net Security
helpnetsecurity.com
Open source[SECURITY] [DSA 6202-1] firefox-esr security update
lists.debian.org
Open source����� Firefox 150 � ����������� 359 �����������
opennet.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Vulnerabilities Patched in Mozilla Firefox, Firefox ESR, and Thunderbird
Mozilla issued fixes for multiple vulnerabilities affecting **Firefox**, **Firefox ESR**, and **Thunderbird**, prompting publication of dCERT advisories `2026-0976` and `2026-1206`. The advisories indicate that the flaws impact both Mozilla’s mainstream browser releases and its email client, with the later notice expanding coverage to include **Firefox ESR** alongside Firefox and Thunderbird. While the advisories do not provide a public synopsis of the underlying bugs, the coordinated notices show ongoing remediation for several security issues across Mozilla products. Organizations using Firefox, Firefox ESR, or Thunderbird should treat the updates as security-relevant and prioritize deployment through normal patch management processes to reduce exposure to unpatched client-side vulnerabilities.
Apr 22, 2026
Mozilla Patches Firefox and Firefox ESR Vulnerabilities
Mozilla released security advisories addressing vulnerabilities in **Firefox** and **Firefox ESR**, prompting the Canadian Centre for Cyber Security to urge organizations and users to apply updates. The affected versions included Firefox releases prior to `149`, Firefox ESR releases prior to `115.34`, and Firefox ESR releases prior to `140.9`, according to the earlier advisory. A subsequent Mozilla advisory issued additional fixes for the same product lines, affecting Firefox versions prior to `149.0.2`, Firefox ESR versions prior to `115.34.1`, and Firefox ESR versions prior to `140.9.1`. The Canadian Centre for Cyber Security described the notices as vendor patch and mitigation guidance and advised administrators to review Mozilla’s bulletins and deploy the necessary updates across exposed systems.
Apr 7, 2026
Mozilla Firefox ESR Security Updates Address Multiple Vulnerabilities
Debian issued **DSA-6148-1** to ship a *firefox-esr* security update after Mozilla disclosed numerous vulnerabilities that could enable **arbitrary code execution**, **sandbox escape**, **same-origin policy bypass**, **information disclosure**, and **privilege escalation**. The advisory lists a large set of CVEs (including `CVE-2026-2757` through `CVE-2026-2793`, with gaps) and states fixes are available for Debian *oldstable* (bookworm) in **`firefox-esr` 140.8.0esr-1~deb12u1** (with the notice indicating corresponding updates for *stable* as well). The Canadian Centre for Cyber Security published **AV26-160**, relaying Mozilla’s February 24, 2026 advisories and urging organizations to apply updates for affected Mozilla products, including **Firefox ESR prior to 140.8**, **Firefox ESR prior to 115.33**, and **Firefox prior to 148**. The alert points administrators to Mozilla Foundation Security Advisories **2026-13**, **2026-14**, and **2026-15** as upstream references for the addressed vulnerabilities and remediation guidance.
Mar 20, 2026