High severity7.3NVD Advisory· Published May 7, 2026· Updated May 8, 2026

CVE-2026-8090

Description

Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.

Affected products

Mozilla Corporation/Thunderbird3 versions
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*+ 2 more
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*range: <140.10.2
- cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*range: <150.0.2
- (no CPE)range: <=150.0.1 and <=140.10.1 (fixed in 150.0.2 and 140.10.2)
Mozilla Corporation/Firefox3 versions
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*+ 2 more
- cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*range: <115.35.2
- cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*range: <150.0.2
- (no CPE)range: <=150.0.1 (fixed in 150.0.2)
Mozilla Corporation/Firefox Esrllm-fuzzy
Range: <=140.10.1 and <=115.35.1 (fixed in 140.10.2 and 115.35.2)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.mozilla.org/security/advisories/mfsa2026-40/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-41/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-42/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-43/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-44/nvdVendor Advisory
bugzilla.mozilla.org/show_bug.cginvdPermissions Required

News mentions

No linked articles in our index yet.

cvss	0.474
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000