CVE-2026-8949 Mozilla CVE debrief

Who should care

Mozilla Firefox and Thunderbird users and administrators, especially on Windows systems and any environment still running versions earlier than Firefox 151, Firefox ESR 140.11, Thunderbird 151, or Thunderbird 140.11.

Technical summary

NVD classifies the weakness as CWE-190 (integer overflow). The published CPE criteria mark Firefox (regular and ESR) and Thunderbird (regular and ESR) as vulnerable up to, but not including, the fixed versions listed by Mozilla. The reference set includes Mozilla Bugzilla and multiple Mozilla security advisories, indicating vendor-confirmed remediation.

Defensive priority

High

Recommended defensive actions

• Upgrade Firefox to 151 or later.
• Upgrade Firefox ESR to 140.11 or later.
• Upgrade Thunderbird to 151 or later.
• Upgrade Thunderbird ESR to 140.11 or later.
• Prioritize Windows endpoints and application fleets that rely on Mozilla desktop clients for rapid patching.
• Verify deployments against the NVD CPE/version ranges to confirm no affected builds remain in service.

Evidence notes

The debrief is based on the NVD CVE record and Mozilla-linked references supplied in the source corpus. NVD lists the vulnerability as analyzed, assigns CWE-190, and provides vulnerable version boundaries for Firefox and Thunderbird. The fixed versions are explicitly stated in the CVE description. No exploit details or unsupported impact claims are included.

Official resources