CVE-2026-8968

Vulnerability

CVE-2026-8968 is a denial-of-service vulnerability in the Audio/Video: Web Codecs component of Firefox, Firefox ESR, and Thunderbird. The flaw is caused by an invalid pointer dereference when processing crafted media content. Affected versions include Firefox before 151, Firefox ESR before 140.11, Thunderbird before 151, and Thunderbird before 140.11 [1][2][3][4].

Exploitation

An attacker must deliver a specially crafted media file or stream to the victim, either through a web page (in Firefox or Thunderbird in browser-like contexts) or via an embedded media element. No special network position or authentication is required beyond the ability to serve content that triggers the vulnerable code path. User interaction is minimal—the victim only needs to load the malicious content [1][2].

Impact

Successful exploitation results in a denial-of-service condition, likely producing a browser crash or application hang. The adversary gains no code execution or data access; the impact is limited to availability degradation. The CVSS v3 base score is 7.5 (High) reflecting the ease of causing service interruption [1][2].

Mitigation

Mozilla released fixes in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11 on May 19, 2026. Users should update to these versions or later. There is no known workaround; applying the security update is the only mitigation [1][2][3][4].