CVE-2026-8962

Vulnerability

CVE-2026-8962 is a mitigation bypass vulnerability in the DOM: Security component of Mozilla Firefox and Thunderbird. The exact nature of the bypass is not detailed in the available references, but it allows an attacker to circumvent security mitigations. Affected versions include Firefox prior to 151, Firefox ESR prior to 140.11, Thunderbird prior to 151, and Thunderbird prior to 140.11 [1][2][3][4].

Exploitation

Exploitation details are not disclosed in the available references. However, the vulnerability is rated with a CVSS v3 score of 8.1 (High), suggesting network-based exploitation with low complexity and no privileges required, but likely requiring user interaction or specific conditions [1]. Given the component (DOM: Security), successful exploitation may involve crafting a web page or content that triggers the bypass.

Impact

The impact is rated as high, indicating that successful exploitation could lead to severe consequences. Based on the CVSS score and the nature of a mitigation bypass, an attacker could potentially escape security restrictions, leading to unauthorized actions or information disclosure. The exact impact (such as privilege escalation, same-origin policy bypass, or arbitrary code execution) is not specified in the references [1].

Mitigation

Mozilla has fixed this vulnerability in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, all released on May 19, 2026 [1][2][3][4]. Users are advised to update their software to the latest versions. No workarounds are mentioned. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.