CVE-2026-8955

Vulnerability

A privilege escalation vulnerability exists in the DOM: Workers component of Firefox and Thunderbird. This affects Firefox versions prior to 151, Firefox ESR versions prior to 140.11, Thunderbird versions prior to 151, and Thunderbird ESR versions prior to 140.11 [1][2][3][4]. The specific code path can be triggered when processing Worker scripts.

Exploitation

An attacker would need to convince a user to visit a malicious website or open a crafted email in a browser-like context (scripting must be enabled). In Thunderbird, scripting is disabled by default when reading mail, but the flaw is still a risk in browser or browser-like contexts [2][3]. The attacker can craft a Worker that exploits the privilege escalation vulnerability.

Impact

Successful exploitation allows the attacker to obtain elevated privileges, potentially leading to further compromise beyond the normal sandbox restrictions [1]. The attacker can execute arbitrary code with the privilege level of the browser process, which could lead to full system compromise.

Mitigation

The vulnerability is fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11 released on May 19, 2026 [1][2][3][4]. Users should update to these versions or later. No workaround is available; installation of the updated version is the only mitigation.