{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6777", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "state": "PUBLISHED", "assignerShortName": "mozilla", "dateReserved": "2026-04-21T12:41:08.101Z", "datePublished": "2026-04-21T12:41:08.452Z", "dateUpdated": "2026-04-21T23:35:12.791Z"}, "containers": {"cna": {"affected": [{"product": "Firefox", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}, {"product": "Thunderbird", "vendor": "Mozilla", "versions": [{"status": "unaffected", "version": "150", "lessThanOrEqual": "*", "versionType": "rpm"}]}], "descriptions": [{"lang": "en", "value": "Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}]}], "title": "Other issue in the Networking: DNS component", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022726"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "credits": [{"lang": "en", "value": "b00rito"}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:35:12.791Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-20", "lang": "en", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-352", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:19:10.760556Z", "id": "CVE-2026-6777", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:19:18.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6777", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:19:10.760556Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:17:33.129Z"}}], "cna": {"title": "Other issue in the Networking: DNS component", "credits": [{"lang": "en", "value": "b00rito"}], "affected": [{"vendor": "Mozilla", "product": "Firefox", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}, {"vendor": "Mozilla", "product": "Thunderbird", "versions": [{"status": "unaffected", "version": "150", "versionType": "rpm", "lessThanOrEqual": "*"}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022726"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "descriptions": [{"lang": "en", "value": "Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "supportingMedia": [{"type": "text/html", "value": "Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.", "base64": false}]}], "providerMetadata": {"orgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "shortName": "mozilla", "dateUpdated": "2026-04-21T23:35:12.791Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6777", "state": "PUBLISHED", "dateUpdated": "2026-04-21T23:35:12.791Z", "dateReserved": "2026-04-21T12:41:08.101Z", "assignerOrgId": "f16b083a-5664-49f3-a51e-8d479e5ed7fe", "datePublished": "2026-04-21T12:41:08.452Z", "assignerShortName": "mozilla"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "matchCriteriaId": "67B01D49-66FA-4C76-9EB4-2B8CD61FBEB2", "versionEndExcluding": "150.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C81F2D4-C004-4354-B3E2-E3F407DAB22A", "versionEndExcluding": "150.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Other issue in the Networking: DNS component. This vulnerability was fixed in Firefox 150 and Thunderbird 150."}], "id": "CVE-2026-6777", "lastModified": "2026-04-22T15:08:29.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-21T13:16:23.430", "references": [{"source": "security@mozilla.org", "tags": ["Permissions Required"], "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2022726"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-30/"}, {"source": "security@mozilla.org", "tags": ["Vendor Advisory"], "url": "https://www.mozilla.org/security/advisories/mfsa2026-33/"}], "sourceIdentifier": "security@mozilla.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "Firefox: Firefox: Unspecified security flaw in Networking: DNS component", "id": "2460081", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460081"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-676", "details": ["A flaw was found in Firefox. This vulnerability affects the browser's Networking: DNS component. The specific nature of this issue and its potential impact are not detailed in the available information, but it represents an uncharacterized security concern."], "name": "CVE-2026-6777", "public_date": "2026-04-21T12:41:08Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6777\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6777\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=2022726\nhttps://www.mozilla.org/security/advisories/mfsa2026-30/"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "[150,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Firefox", "source": "cna", "vendor": "Mozilla"}, "product": "firefox", "vendor": "mozilla"}], "analysis": {"en": {"generated_at": "2026-04-22T19:41:28.693293+00:00", "value": {"mitigation_remediation": ["Install the latest Mozilla Firefox and Thunderbird releases (version 150 or newer) to apply the fix for the DNS component flaw.", "If an immediate upgrade is not possible, configure the browser to use a trusted external DNS resolver or enable DNSSEC validation to reduce exposure to manipulated DNS responses.", "Monitor system logs for anomalous DNS traffic or repeated resolution failures, and use network filtering to limit outbound DNS queries from the affected applications."], "summary": {"action": "Immediate Update", "impact": "DNS Vulnerability"}, "threat_synthesis": {"affected_systems": "Mozilla Firefox and Mozilla Thunderbird are affected. The flaw was fixed in version 150 of both products, so versions prior to 150 are potentially vulnerable.", "description_and_impact": "Other issue in the Networking: DNS component was reported, affecting Mozilla Firefox and Mozilla Thunderbird. The description does not disclose the flaw\u2019s exact nature, so the precise impact remains unclear. However, as a core networking component, the vulnerability could potentially influence DNS resolution, leading to incorrect name resolution, denial\u2011of-service, or traffic redirection. These assertions are inferred rather than directly stated in the input. The CWE identifiers reflect weaknesses in input validation, cross\u2011site request forgery, resource exhaustion, and privilege validation, which together could allow an attacker to manipulate DNS queries, forge data, exhaust system resources, or elevate privileges if exploited.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. The EPSS score is less than 1%, pointing to a low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. The lack of public exploitation evidence combined with a moderate CVSS suggests a cautious but not urgent stance. Attackers would likely need to deliver malicious DNS queries or forged responses to a victim\u2019s system over the network, exploiting weaknesses in input validation and privilege checks listed in the CWE identifiers. Because the flaw resides in a fundamental DNS component, successful exploitation could compromise name resolution, data integrity, and availability of the affected software."}}}}, "created": "2026-04-21T17:45:16.245913+00:00", "updated": "2026-04-22T19:45:25.284021+00:00", "vendors": ["mozilla", "mozilla$PRODUCT$firefox"]}