CVE-2026-8949

Vulnerability

An integer overflow vulnerability exists in the Widget: Win32 component of Firefox and Thunderbird [1][2][3][4]. This affects Firefox before version 151, Firefox ESR before 140.11, Thunderbird before 151, and Thunderbird before 140.11 [1][2][3][4]. The overflow occurs in Windows-specific widget code and can lead to memory corruption.

Exploitation

An attacker would need to craft input that triggers the integer overflow in the Win32 component. In Thunderbird, scripting is disabled when reading email, so exploitation via the mail client is not expected in typical email contexts [2][3]. However, in the browser or browser-like contexts (including Thunderbird in such modes), a web page could trigger the overflow [2][3]. No further details about specific trigger conditions are provided in the available references.

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to cause a denial of service or achieve code execution at the privilege level of the application [1][2][3][4]. The severity is rated moderate by the vendor [1][2][3][4] but assigned a CVSS v3 score of 7.5 (High) per the CVE header.

Mitigation

The vulnerability is fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11 [1][2][3][4]. The fixes were released on May 19, 2026. Users should update to the latest versions of these products. No workarounds are documented. This CVE is not listed on CISA’s Known Exploited Vulnerabilities catalog.