Firefox 150 closes code execution risks

Mozilla has released Firefox 150 with a broad security update that fixes 41 vulnerabilities, including multiple high-impact flaws tied to memory handling, browser components and privilege controls, prompting renewed calls for users and enterprise administrators to move quickly on patching. Mozilla’s advisory for the release was published on April 21, 2026, and classed the overall impact as high.

The most serious issues include CVE-2026-6746, a use-after-free flaw in Firefox’s DOM Core and HTML component, and CVE-2026-6747, another use-after-free bug in the WebRTC component. Mozilla rated both as high impact. Such flaws matter because use-after-free weaknesses can allow attackers to manipulate memory after it has been released, a class of bug long associated with browser crashes, data corruption and, in worst cases, remote code execution if successfully chained and exploited. The same advisory also lists high-impact problems in Web Codecs, Canvas2D, WebRender and the JavaScript engine, underlining how widely the patched weaknesses were spread across the browser stack.

Mozilla’s advisory also includes memory-safety entries that state some bugs showed evidence of memory corruption and were presumed capable, with enough effort, of being exploited to run arbitrary code. Those bundled entries, covering Firefox 150 as well as supported ESR branches and Thunderbird builds, reinforce the severity of the release even where individual exploit chains were not publicly described. Alongside the main Firefox 150 release, fixes were also shipped for Firefox ESR 140.10 and Firefox ESR 115.35, helping cover enterprise and legacy deployments that do not move on the rapid release cadence.

For users, the practical message is simple: updating is the main safeguard. Browsers sit on the front line of everyday exposure, handling untrusted web content, real-time communications, scripts, media streams and extensions. That makes them a frequent target for attackers looking to turn a single corrupted memory state or bounds-checking error into broader system compromise. Firefox 150’s patch list reflects that familiar attack surface, with high-severity or notable flaws touching WebRTC, DOM processing, WebAssembly, networking, graphics and media playback. Several moderate-impact vulnerabilities also involved mitigation bypasses, privilege escalation and information disclosure, which can become more dangerous when combined with another bug rather than exploited in isolation.

The release also arrives amid a wider shift in how software flaws are being discovered. Mozilla said this week that Firefox 150 includes fixes for 271 vulnerabilities identified during an initial evaluation using Anthropic’s Claude Mythos Preview, an early AI-assisted security testing effort. That figure is larger than the 41 CVE entries described in the public Firefox 150 advisory because a single CVE can cover multiple underlying bugs and not every defect necessarily appears as a separately listed public vulnerability record. Even so, the disclosure points to a new phase in browser security, where automated reasoning and fuzzing-assisted methods may sharply increase the volume of weaknesses defenders can find before attackers do.

That shift carries both promise and pressure. Mozilla’s public remarks suggest the organisation sees AI-assisted vulnerability discovery as a force multiplier for defenders, but also as a warning that attackers will not ignore the same tools. For browser vendors and open-source maintainers, the challenge is no longer only fixing isolated bugs quickly; it is building enough engineering capacity to absorb a much larger stream of credible findings without breaking release discipline. Firefox’s long history with memory-safety defects shows why that matters. Academic work examining Mozilla vulnerabilities has found that regression weaknesses and tool limitations can persist even in mature projects, especially when developers are working under complexity and time pressure.

Firefox 150’s non-security release notes are comparatively light, mentioning a macOS Lockdown Mode display fix and tab-group handling changes, which leaves the security update as the defining feature of this release. That makes the patch cycle less about new consumer-facing features and more about closing off exploitable pathways before they can be abused in the wild. Mozilla has not said in the advisory that the listed Firefox 150 flaws were under active exploitation, but the high-impact ratings and repeated references to memory corruption are enough to put this update in the urgent category for most users and organisations.