PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8958 Mozilla CVE debrief

CVE-2026-8958 is a high-severity Mozilla vulnerability affecting the Security: Process Sandboxing component. According to the CVE record, it can lead to information disclosure and sandbox escape. Mozilla fixed the issue in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Firefox and Thunderbird users, endpoint administrators, and security teams responsible for browser and mail-client patching should prioritize this CVE, especially on systems that rely on browser sandboxing for containment.

Technical summary

The NVD record classifies this issue with CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, indicating network reachability, no privileges required, no user interaction, and high confidentiality impact with changed scope. NVD also maps the issue to CWE-668 and CWE-693. The public description states that the flaw is in Mozilla's process sandboxing and can result in information disclosure and sandbox escape.

Defensive priority

High. The combination of no user interaction, no privileges, high confidentiality impact, and sandbox boundary impact makes this a strong patch-priority issue for Mozilla deployments.

Recommended defensive actions

  • Update Firefox to 151 or later, or Firefox ESR to 140.11 or later.
  • Update Thunderbird to 151 or later, or Thunderbird ESR to 140.11 or later.
  • Confirm affected version coverage across managed endpoints and user devices.
  • Review Mozilla security advisories linked from the CVE record for vendor guidance and rollout details.
  • Verify that patching completed successfully on all supported operating systems and deployment channels.

Evidence notes

This debrief is based only on the supplied NVD CVE record and the official Mozilla references listed there. The CVE description explicitly says "Information disclosure, sandbox escape in the Security: Process Sandboxing component" and states the issue was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. NVD shows the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, vulnerability status "Analyzed," and vulnerable CPE ranges ending before Firefox 151.0.0 / ESR 140.11.0 and Thunderbird 151.0.0 / ESR 140.11. The Bugzilla and Mozilla advisory URLs are included in the source corpus, but no advisory body text was provided here.

Official resources

Published by the CVE source on 2026-05-19T14:16:52.170Z and modified on 2026-05-20T15:01:41.923Z. Use the published date as the issue date for timing context.