CVE-2026-8952

Vulnerability

A privilege escalation vulnerability exists in the Application Update component of Mozilla Firefox and Thunderbird prior to version 151 [1][2]. The vulnerability allows an attacker to exploit the update process to gain elevated privileges on the affected system. This issue is present in all versions before Firefox 151 and Thunderbird 151.

Exploitation

An attacker with limited user privileges could exploit this vulnerability by manipulating the application update mechanism. The exact exploitation steps are not detailed in the available references, but the vulnerability is classified as high severity (CVSS 8.8) [1][2]. The attacker may need to be able to interact with the update process or have control over network communications during an update check.

Impact

Successful exploitation grants the attacker elevated privileges, potentially leading to full system compromise. This could result in unauthorized access to sensitive data, installation of malware, or further exploitation of the system [1][2].

Mitigation

The vulnerability is fixed in Firefox 151 and Thunderbird 151, released on May 19, 2026 [1][2]. Users should update to the latest versions. No workarounds are documented; upgrading is the recommended action.