DEBIAN-CVE-2026-7320

DEBIAN-CVE-2026-7320 PUBLISHED CVSS 7.5 HIGH

Information disclosure due to incorrect boundary conditions in the Audio/Video component. This vulnerability was fixed in Firefox 150.0.1, Firefox ESR 140.10.1, Firefox ESR 115.35.1, Thunderbird 150.0.1, and Thunderbird 140.10.1.

Risk Scores

CVSS 3.1

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

Vendor	Product	Versions
Debian:13	firefox-esr	140.3.0esr-1~deb13u1, 140.3.0esr-2, 140.3.1esr-1
Debian:11	firefox-esr	91.3.0esr-2, 91.2.0esr-1, 91.13.0esr-1~deb11u1
Debian:11	thunderbird	140.7.1, 0, 102.0.1-1
Debian:13	thunderbird	140.6.0, 140.5.0, 140.5.0
Debian:12	thunderbird	115.3.0-1, 0, 140.9.1
Debian:14	firefox-esr	140.10.1, 0, 128.14.0esr-1~deb11u1
Debian:14	thunderbird	140.7.0, 140.7.0, 140.7.1
Debian:12	firefox-esr	102.11.0esr-1, 102.12.0esr-1, 102.12.0esr-1~deb10u1

Exploit Intelligence

mfsa2026-38.yml (github-poc)
mfsa2026-37.yml (github-poc)
2026.xml (github-poc)

Timeline

Apr 28, 2026 CVE Published
May 6, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2026-7320 advisory

Open in Interactive Console →