CVE-2026-8953

Vulnerability

A use-after-free vulnerability exists in the Disability Access APIs component of Firefox and Thunderbird, allowing a sandbox escape [1][2][3][4]. The bug is reachable through browser-like contexts; in Thunderbird, scripting is disabled for email, reducing the exposure [2][3]. Affected versions include Firefox before 151, Firefox ESR before 115.36 and 140.11, and Thunderbird before 151 and 140.11 [1][2][3][4].

Exploitation

An attacker would need to execute content (e.g., via a crafted web page or HTML email) that triggers the use-after-free in the Disability Access APIs component. The specific sequence of steps is not publicly detailed, but exploitation requires the victim to view attacker-controlled content in a context where scripting is enabled [1][2].

Impact

Successful exploitation could allow an attacker to escape the browser's sandbox, potentially leading to arbitrary code execution on the host system with the privileges of the user running the browser or Thunderbird [1].

Mitigation

Mozilla has fixed this issue in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, announced on May 19, 2026 [1][2][3][4]. Users should update to these or later versions. No workarounds are available; updating is the recommended mitigation.