CVE-2026-0891
Description
Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple memory safety bugs in Firefox and Thunderbird could be exploited to run arbitrary code; fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Vulnerability
Overview
CVE-2026-0891 is a catch-all identifier for multiple memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, Firefox 146, and Thunderbird 146. The official description states that some of these bugs showed evidence of memory corruption and could potentially be exploited to run arbitrary code [1][2]. The vulnerabilities were addressed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7 [1][2][3][4].
Attack
Vector and Prerequisites
The specific bugs include use-after-free issues in the IPC and JavaScript Engine components, sandbox escapes due to boundary conditions and integer overflows in Graphics components, and a mitigation bypass in the DOM Security component [1][2]. In Thunderbird, these flaws cannot be exploited through email because scripting is disabled when reading mail, but they remain risks in browser or browser-like contexts [1][3]. Exploitation would typically require user interaction such as visiting a malicious web page or opening a crafted document in a browser context.
Impact
Successful exploitation could allow an attacker to execute arbitrary code on the affected system, potentially leading to full compromise of the application and underlying operating system. The CVSS v3 base score of 8.1 (High) reflects the serious nature of these vulnerabilities [1][2].
Mitigation
Mozilla has released fixed versions: Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7. Users should update to these versions immediately. No workarounds are available [1][2][3][4].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <147.0
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <140.7.0
- (no CPE)range: <147
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <147.0
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.7.0
- (no CPE)range: <147
- Range: <140.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.mozilla.org/security/advisories/mfsa2026-01/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-03/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-04/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-05/nvdVendor Advisory
- bugzilla.mozilla.org/buglist.cginvdBroken Link
News mentions
0No linked articles in our index yet.