CVE-2026-8957

Vulnerability

CVE-2026-8957 is a privilege escalation vulnerability located in the Enterprise Policies component of Mozilla Firefox and Thunderbird. Affected versions include Firefox before 151, Firefox ESR before 140.11, Thunderbird before 151, and Thunderbird before 140.11 [1][2][3][4]. The exact technical details of the flaw have not been publicly disclosed, but it involves the ability to escalate privileges within the application through the Enterprise Policies mechanism.

Exploitation

An attacker would need some level of existing access to the system or user session to exploit this vulnerability. The specific conditions required are not publicly detailed. The Enterprise Policies component is used by administrators to enforce configuration settings, and exploitation may involve manipulating or bypassing policy enforcement. No user interaction beyond normal usage is described, but the attacker likely requires local or network access that allows interaction with the policy system.

Impact

Successful exploitation could allow an attacker to escalate their privileges, potentially gaining higher permissions than intended. This could lead to unauthorized access to sensitive data, modification of system settings, or execution of arbitrary code with elevated privileges. The impact is rated high with a CVSS v3 score of 8.8, indicating significant confidentiality, integrity, and availability concerns.

Mitigation

Mozilla has fixed this vulnerability in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, all released on May 19, 2026 [1][2][3][4]. Users should update to these versions or later. No workarounds have been published. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing.