Mozilla Patches 25 CVEs in Firefox and Thunderbird, Including Four Critical Sandbox Escape Flaws
Mozilla's May 2026 security update fixes 25 vulnerabilities across Firefox and Thunderbird, including four critical bugs and two sandbox escapes affecting Windows users.
Mozilla released Firefox 151 and Thunderbird 151 on May 19, 2026, patching a massive batch of 25 security vulnerabilities that includes four critical-severity bugs, two of which are sandbox escapes that could allow an attacker to break out of the browser's security sandbox on Windows systems.
The most severe vulnerability in the batch is CVE-2026-8956, a critical integer overflow in the Networking: JAR component with a CVSS score of 9.8. This flaw could be exploited remotely without any user interaction beyond normal browsing, potentially leading to arbitrary code execution. Two additional critical sandbox escape bugs were also disclosed: CVE-2026-8959 (CVSS 9.6) in the Widget: Win32 component, caused by incorrect boundary conditions, and CVE-2026-8953 (CVSS 9.6), a use-after-free in the Disability Access APIs component that also enables sandbox escape. A fourth critical CVE, CVE-2026-8950 (CVSS 9.3), is a same-origin policy bypass in the Networking: HTTP component that could allow cross-origin data access.
Several high-severity privilege escalation bugs were fixed across multiple components. CVE-2026-8972 (CVSS 8.8) affects the WebRTC Audio/Video subsystem, CVE-2026-8970 (CVSS 8.8) targets the Security component, CVE-2026-8957 (CVSS 8.8) resides in Enterprise Policies, CVE-2026-8955 (CVSS 8.8) affects DOM Workers, and CVE-2026-8952 (CVSS 8.8) is in the Application Update mechanism. Each of these could allow an attacker to escalate privileges within the browser's process model.
Memory safety remains a recurring theme: CVE-2026-8973 (CVSS 8.8) is a catch-all for memory safety bugs in Firefox 150 that showed evidence of memory corruption, which Mozilla presumes could be exploited for arbitrary code execution with sufficient effort. Two mitigation bypasses were also addressed in the DOM: Security component — CVE-2026-8969 (CVSS 8.1) and CVE-2026-8962 (CVSS 8.1) — which could allow attackers to bypass existing security protections.
Information disclosure vulnerabilities were patched across several subsystems. CVE-2026-8967 (CVSS 7.5) affects the Graphics: WebGPU component, CVE-2026-8966 (CVSS 7.5) impacts the IP Protection feature, and CVE-2026-8965 (CVSS 7.5) is in the DOM: Security component. Additionally, CVE-2026-8958 (CVSS 8.6) in the Security: Process Sandboxing component combines information disclosure with sandbox escape capabilities.
Spoofing issues were fixed in multiple areas: CVE-2026-8964 (CVSS 7.5) in the Popup Blocker, CVE-2026-8963 (CVSS 7.5) in the Web Speech API, CVE-2026-8961 (CVSS 6.5) in Form Autofill, and CVE-2026-8960 (CVSS 7.5) in WebExtensions. These could allow an attacker to spoof UI elements or content, potentially tricking users into interacting with malicious interfaces.
Firefox 151 and Thunderbird 151 are the primary fixed versions for most CVEs. For users on the Extended Support Release (ESR) channel, Firefox ESR 140.11 addresses 13 of the 25 bugs, while Firefox ESR 115.36 is only needed for CVE-2026-8953 (the Disability Access APIs use-after-free). Thunderbird ESR 140.11 also covers the same subset. Mozilla has not reported any active exploitation of these vulnerabilities in the wild at the time of disclosure.
This batch represents one of the largest single-day security updates from Mozilla in recent memory, with four critical-severity bugs and a broad sweep of privilege escalation and sandbox escape flaws. Users of Firefox, Firefox ESR, and Thunderbird are strongly advised to update to the latest versions immediately, particularly given the sandbox escape vulnerabilities that could be chained with other browser bugs for full system compromise.