CVE-2026-8957 Mozilla CVE debrief

Who should care

Security teams and administrators managing Mozilla Firefox or Thunderbird deployments, especially enterprise and ESR environments, should prioritize this issue. End users on versions older than the fixed releases should update as soon as possible.

Technical summary

The supplied record identifies a privilege escalation in Mozilla’s Enterprise Policies component. NVD lists affected Firefox releases before 151.0 and Firefox ESR before 140.11.0, plus Thunderbird releases before 151.0 and Thunderbird ESR before 140.11. The NVD CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating a high-severity issue with no privileges required, low attack complexity, and user interaction required.

Defensive priority

High — patch promptly across Firefox and Thunderbird fleets, with extra attention to enterprise and ESR deployments.

Recommended defensive actions

• Upgrade Firefox to 151 or later, or Firefox ESR to 140.11 or later.
• Upgrade Thunderbird to 151 or later, or Thunderbird ESR to 140.11 or later.
• Verify enterprise policy-managed desktops and mail clients are included in patch coverage.
• Use the referenced Mozilla advisories to confirm remediation guidance and product-specific release notes.
• Track any systems that cannot be updated immediately and place them on a prioritized remediation list.

Evidence notes

This debrief is based on the supplied NVD modified record and its Mozilla references. The record was published on 2026-05-19 and modified on 2026-05-20. NVD provides the affected CPE criteria, CVSS vector, and Mozilla advisory links. No confirmed exploit campaign, KEV listing, or weaponized reproduction was provided in the source corpus.

Official resources