CVE-2026-8972

Vulnerability

CVE-2026-8972 is a privilege escalation vulnerability in the WebRTC Audio/Video component of Firefox and Thunderbird. The flaw exists in the handling of audio/video streams and can be triggered by a crafted web page or content. Affected versions include Firefox prior to 151 and Thunderbird prior to 151 [1][2].

Exploitation

An attacker would need to convince a user to visit a malicious web page or open a crafted email in a browser-like context (scripting is disabled in Thunderbird's email reading, but browser-like contexts are possible). The attacker can exploit the vulnerability to escalate privileges within the browser or Thunderbird process.

Impact

Successful exploitation allows an attacker to escalate privileges, potentially gaining higher-level access to system resources or sensitive data. The CVSS score is 8.8 (High), indicating significant impact on confidentiality, integrity, and availability.

Mitigation

The vulnerability is fixed in Firefox 151 and Thunderbird 151, released on May 19, 2026 [1][2]. Users should update to these versions or later. No workarounds are mentioned; updating is the recommended mitigation.