{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5733", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-07T12:43:13.392Z", "datePublished": "2026-04-07T12:43:13.804Z", "dateUpdated": "2026-04-13T13:51:30.439Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "149.0.2", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "149.0.2", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2."}]}], "title": "Incorrect boundary conditions in the Graphics: WebGPU component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022554"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"}], "credits": [{"lang": "en", "value": "Inseo An"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:30.439Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T14:34:23.846009Z", "id": "CVE-2026-5733", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:34:53.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5733", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-07T14:34:23.846009Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T14:33:08.217Z"}}], "cna": {"title": "Incorrect boundary conditions in the Graphics: WebGPU component", "credits": [{"lang": "en", "value": "Inseo An"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "149.0.2", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "149.0.2", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022554"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"}], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.", "supportingMedia": [{"type": "text/html", "value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-13T13:51:30.439Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5733", "state": "PUBLISHED", "dateUpdated": "2026-04-13T13:51:30.439Z", "dateReserved": "2026-04-07T12:43:13.392Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-07T12:43:13.804Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "CF910B3C-C241-48B5-9066-260750E8E7ED", "versionEndExcluding": "149.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Graphics: WebGPU component. This vulnerability was fixed in Firefox 149.0.2 and Thunderbird 149.0.2."}], "id": "CVE-2026-5733", "lastModified": "2026-04-13T15:17:46.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T13:16:47.567", "references": [{"source": "security@mozilla.org", "tags": ["Issue Tracking", "Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022554"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-25/"}, {"source": "security@mozilla.org", "url": "https://www.mozilla.org/security/advisories/mfsa2026-28/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "firefox: Incorrect boundary conditions in the Graphics: WebGPU component", "id": "2455902", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455902"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in Firefox. The Mozilla Foundation's Security Advisory describes the following issue:\nIncorrect boundary conditions in the Graphics: WebGPU component"], "name": "CVE-2026-5733", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "rhel10/firefox-flatpak", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "firefox", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-07T12:43:13Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-5733\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-5733\nhttps://www.mozilla.org/security/advisories/mfsa2026-25/#CVE-2026-5733"], "statement": "Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,149.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,149.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Thunderbird", "source": "cna", "vendor": "Mozilla"}, "product": "thunderbird", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-13T16:07:46.699929+00:00", "value": {"mitigation_remediation": ["Update Mozilla Firefox to version 149.0.2 or later", "Update Mozilla Thunderbird to version 149.0.2 or later", "If an immediate update is not possible, disable the WebGPU feature by setting the corresponding configuration option to false in the browser\u2019s configuration page"], "summary": {"action": "Immediate Patch", "impact": "Arbitrary code execution via WebGPU"}, "threat_synthesis": {"affected_systems": "The flaw affects Mozilla Firefox and Mozilla Thunderbird browsers running versions prior to 149.0.2. Any user running a vulnerable build of these applications is potentially exposed until they upgrade to the fixed releases.", "description_and_impact": "The vulnerability arises from improper handling of boundary conditions within the Graphics: WebGPU component, creating an opportunity for memory corruption. The issue is classified as a buffer overflow and an out\u2011of\u2011bounds write, allowing an attacker who can introduce malicious WebGPU instructions to overwrite critical memory and potentially execute arbitrary code. The impact is severe, threatening the confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "With a CVSS score of 8.8, the vulnerability is considered high severity. The EPSS score of less than 1% indicates a low expected exploitation probability, and it is not yet listed in CISA\u2019s KEV catalog. Based on the nature of the flaw and its location in a web\u2011based graphics API, the attack vector is inferred to be remote, most likely through a malicious webpage or email that triggers the WebGPU component."}}}}, "created": "2026-04-08T19:38:05.220193+00:00", "updated": "2026-04-14T16:41:02.246676+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox", "mozilla$PRODUCT$thunderbird"]}