What is the CVSS score of CVE-2026-5734?

CVE-2026-5734 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Red Hat are affected by CVE-2026-5734?

Critical memory corruption vulnerabilities in Mozilla Firefox and Firefox ESR allow unauthenticated remote code execution on affected systems with no user interaction required.. A patch is available.

Red Hat CVE-2026-5734

Q: How to fix or mitigate CVE-2026-5734?

Within 24 hours: Inventory all Firefox and Firefox ESR installations across the organization and identify endpoints running versions below 149.0.2 or 140.9.1 respectively. Within 7 days: Deploy Firefox 149.0.2 or later (or Firefox ESR 140.9.1 or later for ESR users) via your endpoint management system to all affected endpoints; prioritize systems with internet-facing roles and administrative access. Within 30 days: Verify 100% patch compliance through vulnerability scanning and update your browser deployment policy to enforce automatic updates.

EUVD-2026-19614 CRITICAL

Out-of-bounds Write (CWE-787)

2026-04-07 mozilla

RCE Buffer Overflow Memory Corruption Red Hat Mozilla Suse

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:45 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

149.0.2,140.9.1

EUVD ID Assigned

Apr 07, 2026 - 13:00 euvd

EUVD-2026-19614

Analysis Generated

Apr 07, 2026 - 13:00 vuln.today

CVE Published

Apr 07, 2026 - 12:43 nvd

CRITICAL 9.8

DescriptionNVD

Memory safety bugs present in Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and Thunderbird 149.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 149.0.2 and Firefox ESR < 140.9.1.

AnalysisAI

Multiple memory corruption vulnerabilities in Mozilla Firefox (< 149.0.2) and Firefox ESR (< 140.9.1) enable unauthenticated remote code execution with critical CVSS 9.8 severity. These memory safety bugs-including CWE-787 out-of-bounds write issues-affect both standard and Extended Support Release channels, with Mozilla confirming evidence of memory corruption exploitable for arbitrary code execution. …

RemediationAI

Within 24 hours: Inventory all Firefox and Firefox ESR installations across the organization and identify endpoints running versions below 149.0.2 or 140.9.1 respectively. Within 7 days: Deploy Firefox 149.0.2 or later (or Firefox ESR 140.9.1 or later for ESR users) via your endpoint management system to all affected endpoints; prioritize systems with internet-facing roles and administrative access. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory