CVE-2026-8954

Vulnerability

An incorrect boundary condition combined with an integer overflow in the Audio/Video component of Firefox and Thunderbird could lead to memory corruption. Affected versions include Firefox before 151, Firefox ESR before 140.11, Thunderbird before 151, and Thunderbird before 140.11 [1][2][3][4].

Exploitation

An attacker would need to convince a user to visit a malicious webpage or interact with crafted media content. In Thunderbird, scripting is disabled by default when reading mail, so exploitation via email is not possible; however, in browser or browser-like contexts the vulnerability is reachable [2][3].

Impact

Successful exploitation could lead to memory corruption, potentially allowing an attacker to execute arbitrary code or cause a denial of service. The impact is rated moderate by Mozilla [1][2][3][4].

Mitigation

The vulnerability is fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, all released on May 19, 2026. Users should update to these versions. No workarounds are available [1][2][3][4].