What is the CVSS score of CVE-2026-5731?

CVE-2026-5731 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Red Hat are affected by CVE-2026-5731?

Mozilla Firefox and Thunderbird contain critical memory corruption vulnerabilities allowing unauthenticated remote code execution with no user interaction required, affecting all desktop users…. A patch is available.

Red Hat CVE-2026-5731

Q: How to fix or mitigate CVE-2026-5731?

Within 24 hours: Identify all Firefox and Thunderbird deployments using versions prior to Firefox 149.0.2, Firefox ESR 115.34.1, or Firefox ESR 140.9.1 via endpoint management tools. Within 7 days: Deploy patches to all affected systems-update Firefox to 149.0.2 or later, Firefox ESR to 115.34.1 or 140.9.1 depending on organization's ESR track, and Thunderbird to patched equivalent versions. Within 30 days: Conduct security awareness reminder to users regarding browser update importance and report on patch compliance metrics to leadership.

EUVD-2026-19610 CRITICAL

Buffer Overflow (CWE-119)

2026-04-07 mozilla

GHSA-fwrw-mfrr-q8px

RCE Buffer Overflow Red Hat Mozilla Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 19:07 vuln.today

cvss_changed

Analysis Updated

Apr 16, 2026 - 05:45 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

115.34.1,140.9.1,149.0.2

EUVD ID Assigned

Apr 07, 2026 - 13:00 euvd

EUVD-2026-19610

Analysis Generated

Apr 07, 2026 - 13:00 vuln.today

CVE Published

Apr 07, 2026 - 12:43 nvd

CRITICAL 9.8

DescriptionNVD

Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2, Firefox ESR < 115.34.1, and Firefox ESR < 140.9.1.

AnalysisAI

Remote code execution in Mozilla Firefox and Thunderbird via memory corruption vulnerabilities allows unauthenticated remote attackers to execute arbitrary code without user interaction. Affects Firefox <149.0.2, Firefox ESR <115.34.1, and Firefox ESR <140.9.1 across desktop platforms. …

RemediationAI

Within 24 hours: Identify all Firefox and Thunderbird deployments using versions prior to Firefox 149.0.2, Firefox ESR 115.34.1, or Firefox ESR 140.9.1 via endpoint management tools. Within 7 days: Deploy patches to all affected systems-update Firefox to 149.0.2 or later, Firefox ESR to 115.34.1 or 140.9.1 depending on organization's ESR track, and Thunderbird to patched equivalent versions. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory