CVE-2026-8947

Vulnerability

A use-after-free vulnerability exists in the DOM: Bindings (WebIDL) component of Firefox and Thunderbird. Reported by Satoki Tsuji and assigned bug 2038439 [1], it affects Firefox versions before 151 [1], Firefox ESR before 115.36 and 140.11 [1][4], and Thunderbird versions before 151 and 140.11 [2][3]. The flaw occurs when WebIDL bindings are mishandled, leading to a use-after-free condition.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious web page that triggers the use-after-free. No authentication is required; it can be exploited via a website. In Thunderbird, scripting is disabled when reading email, making email-based exploitation unlikely, but it remains a risk in browser or browser-like contexts [2][3].

Impact

Successful exploitation could lead to arbitrary code execution in the context of the browser, potentially allowing an attacker to compromise the affected system. The impact is rated high [1].

Mitigation

The vulnerability is fixed in Firefox 151, Firefox ESR 115.36 and 140.11, Thunderbird 151, and Thunderbird 140.11, all released on May 19, 2026 [1][2][3][4]. Users should update to these versions or later. No workarounds are documented.