CVE-2026-8956

Vulnerability

An integer overflow exists in the Networking: JAR component of Firefox and Thunderbird. This flaw can be triggered during the processing of a crafted JAR archive, leading to memory corruption. The vulnerability affects Firefox versions prior to 151, Firefox ESR prior to 140.11, Thunderbird prior to 151, and Thunderbird prior to 140.11 [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by hosting a specially crafted JAR file on a website or by embedding it in a web page. No user interaction beyond normal navigation is required; the browser or Thunderbird’s mail viewer will automatically process the JAR content upon loading the page [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the victim’s system. This can lead to full compromise of the application’s security context, including the ability to read, modify, or delete data, and potentially escape the sandbox depending on the severity of the overflow [1].

Mitigation

Mozilla addressed this vulnerability in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, all released on May 19, 2026 [1][2][3][4]. Users should update to these versions immediately. No workaround is available for unpatched versions.