CVE-2026-8946 Mozilla CVE debrief

Who should care

Administrators and users running affected Firefox or Thunderbird versions, especially environments that lag on browser or mail-client patching and organizations using Firefox ESR or Thunderbird ESR branches.

Technical summary

NVD describes the issue as incorrect boundary conditions in Mozilla's Audio/Video: Web Codecs component and maps it to CWE-119. The affected version ranges in the NVD record are Firefox before 151.0.0, Firefox ESR 115 before 115.36.0, Firefox ESR 140 from 140.0 up to 140.11.0, and Thunderbird before 140.11. Mozilla's references cited by NVD indicate the issue was addressed in the corresponding fixed releases.

Defensive priority

High. The CVSS vector shows network attack vector, low complexity, no privileges, no user interaction, and high confidentiality impact, so affected systems should be prioritized for prompt browser and mail-client updates.

Recommended defensive actions

• Update Firefox to 151.0.0 or later, or to the latest supported release.
• Update Firefox ESR to 115.36.0 or later for the 115 ESR branch, or 140.11.0 or later for the 140 ESR branch.
• Update Thunderbird to 151 or later, or to 140.11 or later on the ESR branch.
• Inventory endpoints and managed devices to find affected Firefox and Thunderbird versions.
• Verify that update deployment includes application restarts and post-update version checks.
• Track Mozilla security advisories and NVD for any follow-on corrections or scope clarifications.

Evidence notes

This debrief is based on the supplied NVD CVE record for CVE-2026-8946, which includes the description 'Incorrect boundary conditions in the Audio/Video: Web Codecs component,' the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, the CWE-119 mapping, and Mozilla advisory references. The supplied corpus did not include the full advisory body text, so product/version scope is taken from the NVD CPE criteria and the CVE description.

Official resources