CVE-2026-0883
Description
Information disclosure in the Networking component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-0883 is an information disclosure vulnerability in the Networking component of Firefox and Thunderbird, fixed in versions 147, ESR 140.7, and Thunderbird 147/140.7.
Vulnerability
Overview
CVE-2026-0883 is an information disclosure vulnerability in the Networking component of Mozilla products. The flaw was reported by Vladislav Plyatsok and is tracked as bug 1989340 [1][2]. It affects Firefox, Firefox ESR, and Thunderbird, allowing an attacker to potentially leak sensitive data through the networking stack.
Exploitation
Context
The vulnerability exists in the Networking component, which handles network requests and responses. In Thunderbird, exploitation through email is not feasible because scripting is disabled when reading mail [1][3]. However, in browser or browser-like contexts (e.g., Firefox or Thunderbird with active content), an attacker could potentially trigger the flaw without requiring authentication or user interaction beyond normal browsing.
Impact
A successful exploit could lead to information disclosure, exposing sensitive data that should be protected. The CVSS v3 severity is Medium (5.3), and the advisory rates the impact as moderate [1][2]. The attacker cannot execute arbitrary code but may gain access to information such as HTTP headers, cookies, or other networking data.
Mitigation
Mozilla has addressed this vulnerability in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7, released on January 13, 2026 [1][2][3][4]. Users should update to these patched versions immediately to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <147.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.7.0
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 1 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <147.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2026-01/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-03/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-04/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-05/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.