CVE-2026-5733 involves incorrect boundary conditions in the Graphics: WebGPU component of Mozilla Firefox, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). This vulnerability results in memory safety issues that could lead to memory corruption and potentially arbitrary code execution. The flaw was reported by Inseo An and fixed in Firefox 149.0.2 and Thunderbird 149.0.2. Mozilla's official advisories (MFSA 2026-25 and MFSA 2026-28) confirm the fix and note that these memory safety bugs were present in Firefox ESR 115.34.0, ESR 140.9.0, Firefox 149.0.1, and Thunderbird 149.0.1. The CVSS v3.1 base score is 8.8, indicating a high impact with network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality, integrity, and availability impacts.

The vulnerability could allow an attacker to cause memory corruption in the Graphics: WebGPU component, potentially leading to arbitrary code execution. This could compromise confidentiality, integrity, and availability of the affected systems running vulnerable Firefox or Thunderbird versions. However, no known exploits are reported in the wild. The impact is rated high by Mozilla and the CVSS score supports this assessment.

Mozilla has released official fixes for this vulnerability in Firefox 149.0.2 and Thunderbird 149.0.2. Users and administrators should update to these versions or later to remediate the issue. Since the vulnerability is fixed in these versions, no additional mitigation steps are required beyond applying the official update. Patch status is confirmed by Mozilla advisories MFSA 2026-25 and MFSA 2026-28.