CVE-2026-8958

Vulnerability

CVE-2026-8958 is an information disclosure and sandbox escape in the Security: Process Sandboxing component of Firefox and Thunderbird. The vulnerability affects Firefox versions before 151, Firefox ESR versions before 140.11, Thunderbird versions before 151, and Thunderbird versions before 140.11 [1][2][3][4].

Exploitation

An attacker could potentially leverage this flaw to disclose sensitive information and escape the sandbox. The exact exploitation steps are not detailed in the available references, but it can be triggered in browser or browser-like contexts within Thunderbird (scripting is disabled when reading mail, reducing email-based risk) [2][3].

Impact

Successful exploitation could lead to information disclosure and sandbox escape, allowing an attacker to break out of the sandboxed environment and potentially access sensitive data or execute code outside the sandbox restrictions [1][2][3][4].

Mitigation

Mozilla fixed this vulnerability in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11 as announced on May 19, 2026 [1][2][3][4]. Users should update to these versions or later to mitigate the risk. No workarounds are mentioned.