CVE-2020-6820

ENISA EUVD: EUVD-2020-27964 ↗

Exploited in the Wild ✓ Confirmed 0-Day ★ Google Project Zero

Triaged: March 3, 2026 2 articles Published: 2020-04-24

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗ Advisory ↗ P0 Sheet ↗ CISA KEV ↗

EPSS Score

Source: FIRST.org · 2026-05-23

3.13%

probability

This CVE has a 3.13% probability of being exploited in the next 30 days.

0% Top 87.0th percentile of all CVEs 100%

CVSS v3.1

Source: VulnerabilityLookup (CIRCL)

8.1

HIGH

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2 (legacy)

6.8

MEDIUM

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Description

VulnerabilityLookup (CNA)

Under certain conditions, when handling a ReadableStream, a race condition can cause a use-after-free. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Thunderbird < 68.7.0, Firefox < 74.0.1, and Firefox ESR < 68.6.1.

Affected Products

Mozilla

Thunderbird

unspecified

Mozilla

Firefox

unspecified

Mozilla

Firefox ESR

unspecified

mozilla

firefox

mozilla

thunderbird

Mozilla

Firefox ESR

unspecified <68.6.1

Mozilla

Thunderbird

unspecified <68.7.0

Mozilla

Firefox

unspecified <74.0.1

Attack Intelligence

CWE-362 · Race Condition CWE-691 · Insufficient Control Flow Management

Google Project Zero

Discovered

April 1, 2020

Patched

April 3, 2020

Reported by

Francisco Alonso @revskills working with Javier Marcos of @JMPSec

Root Cause Analysis

https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-6820.html

https://www.mozilla.org/security/advisories/mfsa2020-14/

x_refsource_MISC

https://www.mozilla.org/security/advisories/mfsa2020-11/

x_refsource_MISC

https://bugzilla.mozilla.org/show_bug.cgi?id=1626728

x_refsource_MISC

https://usn.ubuntu.com/4335-1/

vendor-advisory x_refsource_UBUNTU

Signal Intelligence

Confidenceⓘ

92%

EPSS 3.13%

CVSS v3.1 8.1

Mentions 2

Last Seen Apr 06, 2020

CNA Information

CNA Assigner

mozilla

Analyst Note

CVE-2020-6820 is confirmed as a high-severity use-after-free vulnerability in Mozilla products with active exploitation documented in the wild. The presence of Project Zero disclosure, CERT-EU advisory coverage, and official vendor patches for Firefox 74.0.1, Firefox ESR 68.6.1, and Thunderbird 68.7.0 provide strong corroboration of the vulnerability's authenticity and impact.

Triage Info

Decided atMar 03, 2026

Published DateApr 24, 2020