CVE-2020-6819
ENISA EUVD: EUVD-2020-27963 ↗
Exploited in the Wild
✓ Confirmed 0-Day
★ Google Project Zero
Triaged: March 3, 2026
2 articles
EPSS Score
Source: FIRST.org · 2026-05-24
0.36%
probability
This CVE has a 0.36% probability
of being exploited in the next 30 days.
0%
Top 58.5th percentile of all CVEs
100%
CVSS v3.1
Source: NVD8.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
Project ZeroUse-after-free while running the nsDocShell destructor
Affected Products
Attack Intelligence
CWE-118
· Incorrect Access of Indexable Resource ('Range Error')
CWE-119
· Buffer Overflow
CWE-362
· Race Condition
CWE-416
· Use After Free
CWE-664
· Improper Control of a Resource Through its Lifetime
CWE-666
· Operation on Resource in Wrong Phase of Lifetime
CWE-672
· Operation on a Resource after Expiration or Release
CWE-691
· Insufficient Control Flow Management
CWE-825
· Expired Pointer Dereference
Google Project Zero
Discovered
March 8, 2020
Patched
April 3, 2020
Reported by
Francisco Alonso @revskills working with Javier Marcos of @JMPSec
Root Cause Analysis
???
Mozilla Patches Two Actively Exploited Firefox Zero-Days
BleepingComputer
Apr 03, 2020
Security Advisory 2020-020
CERT-EU
Apr 06, 2020
Signal Intelligence
Confidence
92%
EPSS
0.36%
CVSS v3.1
8.1
Mentions
2
Last Seen
Apr 06, 2020
CNA Information
Analyst Note
CVE-2020-6819 is a well-documented use-after-free vulnerability in Mozilla Thunderbird and Firefox with a HIGH CVSS score (8.1), confirmed by active exploitation in the wild as stated in the official description. The vulnerability is corroborated by CERT-EU security advisory and inclusion in Google Project Zero records, providing strong evidence for the confirmed status.
Triage Info
Decided atMar 03, 2026