CVE-2026-8953 Mozilla CVE debrief

Who should care

Security teams, endpoint administrators, and individual users running Firefox, Firefox ESR, or Thunderbird on versions earlier than the fixed releases. Organizations that rely on managed browser or mail-client update cycles should prioritize this issue immediately.

Technical summary

The NVD record describes CVE-2026-8953 as a use-after-free (CWE-416) in Mozilla’s Disability Access APIs component. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating network-based exposure with low attack complexity, no privileges required, and user interaction required. The security impact is severe because the flaw can be used for sandbox escape, expanding impact beyond the initial browser or application boundary.

Defensive priority

Immediate

Recommended defensive actions

• Update Firefox to 151 or later.
• Update Firefox ESR to 115.36 or 140.11 or later, depending on the deployed ESR branch.
• Update Thunderbird to 151 or later, or 140.11 or later for the 140 ESR branch.
• Verify fleet inventory for all Mozilla browser and mail-client installations, including unmanaged endpoints.
• Treat the issue as high priority in standard patch queues because the CVSS score is 9.6 and the vulnerability enables sandbox escape.
• Review Mozilla’s vendor advisories and the linked Bugzilla issue for any deployment-specific guidance.

Evidence notes

All facts in this debrief come from the supplied CVE/NVD metadata and the provided Mozilla reference links. The record identifies the flaw as a sandbox escape due to a use-after-free in the Disability Access APIs component, with CWE-416 listed in NVD. The affected and fixed versions are taken from the NVD CPE criteria and the CVE description: Firefox fixed in 151, Firefox ESR fixed in 115.36 and 140.11, and Thunderbird fixed in 151 and 140.11. The CVE was published on 2026-05-19.

Official resources