PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8959 Mozilla CVE debrief

CVE-2026-8959 is a critical Mozilla sandbox-escape vulnerability in the Widget: Win32 component. NVD assigns a 9.6 CVSS score and a vector of AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating a network-reachable issue that requires user interaction and can have high impact once triggered. Mozilla fixed the issue in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Vendor
Mozilla
Product
Firefox
CVSS
CRITICAL 9.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Security teams and administrators responsible for Firefox and Thunderbird deployments should treat this as urgent, especially endpoint teams managing desktop fleets and any environment where users open untrusted web or mail content on affected Mozilla clients.

Technical summary

The published description identifies a sandbox escape caused by incorrect boundary conditions in the Widget: Win32 component. In practical terms, this is an isolation-bypass class issue: an attacker who can get a user to interact with malicious content may be able to break out of the intended sandbox boundary and materially increase the impact of a compromise. NVD lists the affected version ranges as Firefox before 151.0.0, Firefox ESR before 140.11.0, Thunderbird before 151.0.0, and Thunderbird ESR before 140.11.

Defensive priority

Immediate patching priority. This is a critical, remotely reachable issue with no privileges required and user interaction required, so remediation should be accelerated across all affected Mozilla product deployments.

Recommended defensive actions

  • Upgrade Firefox to 151.0 or later, or Firefox ESR to 140.11 or later, depending on your release channel.
  • Upgrade Thunderbird to 151.0 or later, or Thunderbird ESR to 140.11 or later, depending on your release channel.
  • Inventory all endpoints and virtual desktops running affected Mozilla clients and confirm the installed versions are outside the vulnerable ranges.
  • Prioritize remediation for systems that regularly open untrusted web pages or email content, since user interaction is required for exploitation.
  • Review Mozilla vendor advisories and the linked bug record for any product-specific deployment guidance or follow-up notices.

Evidence notes

The assessment is based on the supplied NVD record and Mozilla references. The CVE was published on 2026-05-19T14:16:52.280Z and modified on 2026-05-20T14:28:29.307Z. NVD marks the vuln status as Analyzed and lists vendor advisories from Mozilla plus a Bugzilla issue reference. The vulnerable CPE ranges and fixed versions in the record support the remediation targets cited above.

Official resources

CVE published by NVD on 2026-05-19 and modified on 2026-05-20. Use the CVE published timestamp as the issue date for tracking and response planning.