Critical severity9.6NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-8959

Description

Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sandbox escape in Widget: Win32 due to boundary condition flaws allows host system compromise; fixed in Firefox 151 and Thunderbird 151.

Vulnerability

CVE-2026-8959 is a sandbox escape vulnerability in the Widget: Win32 component of Mozilla products, caused by incorrect boundary conditions [1]. This affects Firefox versions before 151, Firefox ESR before 140.11, Thunderbird versions before 151, and Thunderbird ESR before 140.11 [1][2][3][4].

Exploitation

An attacker must first achieve code execution within the browser sandbox, potentially through another vulnerability. Once achieved, this flaw can be used to escape the sandbox, as the boundary condition error allows bypassing security restrictions [1]. No additional user interaction is required for the escape itself.

Impact

Successful exploitation allows an attacker to escape the sandbox and execute arbitrary code on the host system, leading to full system compromise [1]. The impact is critical due to the potential for complete control over the affected device.

Mitigation

The vulnerability is fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, released on May 19, 2026 [1][2][3][4]. Users should update to these versions immediately. No workarounds have been disclosed.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Mozilla Corporation/Gecko Devinferred
Range: <140.11
Mozilla Corporation/Firefox Esrllm-fuzzy
Range: <140.11
Mozilla Corporation/Firefoxllm-fuzzy
Range: <151
Mozilla Corporation/Thunderbirdllm-fuzzy
Range: <151

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.mozilla.org/security/advisories/mfsa2026-46/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-48/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-50/nvdVendor Advisory
www.mozilla.org/security/advisories/mfsa2026-51/nvdVendor Advisory
bugzilla.mozilla.org/show_bug.cginvdPermissions Required

News mentions

No linked articles in our index yet.

cvss	0.624
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000