CVE-2026-8946
Description
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect boundary conditions in Firefox and Thunderbird's Audio/Video: Web Codecs component could allow arbitrary code execution via a crafted web page.
Vulnerability
An incorrect boundary condition in the Audio/Video: Web Codecs component of Firefox and Thunderbird can lead to memory corruption [1][2][3][4]. This vulnerability affects Firefox versions prior to 151, Firefox ESR versions prior to 115.36 and 140.11, and Thunderbird versions prior to 151 and 140.11.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious web page that triggers the boundary condition error when processing audio/video codecs. User interaction is required to visit the page. In Thunderbird, scripting is disabled by default for email, so exploitation is only possible in browser-like contexts [2][3].
Impact
Successful exploitation could allow arbitrary code execution in the context of the affected application, leading to full compromise of the browser or Thunderbird instance [1][2][3][4].
Mitigation
This vulnerability is fixed in Firefox 151 [1], Firefox ESR 115.36, Firefox ESR 140.11 [4], Thunderbird 151 [2], and Thunderbird 140.11 [3]. Users should update to the latest versions. No workarounds are available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <151
- Range: <151
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.mozilla.org/security/advisories/mfsa2026-46/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-47/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-48/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-50/nvdVendor Advisory
- www.mozilla.org/security/advisories/mfsa2026-51/nvdVendor Advisory
- bugzilla.mozilla.org/show_bug.cginvdPermissions Required
News mentions
0No linked articles in our index yet.