CVE-2026-8947 Mozilla CVE debrief

Who should care

Organizations and individuals running Mozilla Firefox or Thunderbird on versions earlier than the fixed releases should prioritize this update, especially enterprise patch teams, browser administrators, and security operations teams managing desktop fleets.

Technical summary

The vulnerability is classified as CWE-416 (use-after-free) in DOM Bindings (WebIDL). NVD’s vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a remotely reachable issue with low confidentiality, integrity, and availability impact. The official references tie the issue to Mozilla advisories and Bugzilla tracking.

Defensive priority

High. This should be patched promptly because the issue is publicly disclosed, rated HIGH, and does not require privileges or user interaction according to the NVD vector. It affects end-user software used broadly across desktop environments.

Recommended defensive actions

• Update Firefox to 151 or later, or the applicable ESR build at or above 115.36 / 140.11.
• Update Thunderbird to 151 or later, or 140.11 or later for the affected branch.
• Confirm fleet inventory for any older Firefox ESR or Thunderbird installations and accelerate remediation for unmanaged endpoints.
• Track Mozilla security advisories linked to the CVE record for any additional implementation notes or backported fix details.
• Reboot or restart affected applications after patching so the updated code is loaded.

Evidence notes

This debrief is based on the CVE description, NVD metadata, and Mozilla-linked official references supplied in the source corpus. The CVE was published and last modified on 2026-05-19, and the source timestamps match those CVE dates. The corpus does not include the full text of the Mozilla advisories, so conclusions are limited to the metadata and linked official records.

Official resources