CVE-2026-8955 Mozilla CVE debrief

Who should care

Mozilla Firefox and Thunderbird users and administrators, especially teams managing enterprise desktop fleets, ESR deployments, and environments where browser or mail-client updates are staged centrally. Security teams should prioritize systems that run affected Firefox or Thunderbird branches before the fixed releases.

Technical summary

The supplied record describes a privilege-escalation flaw in Mozilla's DOM Workers component. NVD maps the issue to CWE-269 and assigns CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating remote exploitation with user interaction required and high potential impact if triggered. Affected versions are those before Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird ESR 140.11. No deeper root-cause details are provided in the corpus.

Defensive priority

High. Treat as a priority patch because the issue is remotely reachable, requires only user interaction, and is already fixed in released Mozilla builds.

Recommended defensive actions

• Update Firefox to 151 or later, or Firefox ESR to 140.11 or later.
• Update Thunderbird to 151 or later, or Thunderbird ESR to 140.11 or later.
• Verify which release channel each managed endpoint is on before staging updates.
• Prioritize internet-facing and high-use user endpoints where interaction with web content or mail content is routine.
• Use the Mozilla advisory and Bugzilla references to confirm fleet applicability and patched builds.
• Track any affected systems that cannot be updated immediately and escalate them for remediation planning.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and Mozilla reference URLs only. The corpus states the vulnerability is a privilege escalation in the DOM Workers component and identifies the fixed versions. NVD supplies the CVSS vector, CWE-269 mapping, and vulnerable version boundaries. No exploit details or advisory body text were provided.

Official resources