CVE-2026-8967 Mozilla CVE debrief

Who should care

Organizations and users running Firefox or Thunderbird versions earlier than 151.0.0 should prioritize this issue, especially environments where WebGPU features are enabled or relevant to browser use. Security teams responsible for desktop fleet patching should treat it as a high-priority browser update.

Technical summary

The NVD record classifies CVE-2026-8967 as CWE-200 (Information Exposure). The vulnerability affects Mozilla Firefox and Thunderbird releases before 151.0.0, with NVD listing vulnerable CPEs for both products. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a remotely reachable disclosure issue with high confidentiality impact and no reported integrity or availability impact.

Defensive priority

High. This is a remotely reachable, no-user-interaction information disclosure issue in widely deployed client software, and vendor fixes are available in Firefox 151 and Thunderbird 151.

Recommended defensive actions

• Upgrade Firefox to version 151 or later.
• Upgrade Thunderbird to version 151 or later.
• Verify auto-update channels are working and that affected endpoints actually received the patched builds.
• Review any internal browser or mail client deployment baselines to ensure no systems remain on versions earlier than 151.0.0.
• Track the Mozilla advisory and NVD record for any follow-up notes or clarifications.

Evidence notes

The supplied NVD record marks the CVE as analyzed and lists affected Mozilla CPEs ending before 151.0.0 for Firefox and Thunderbird. Mozilla references include a Bugzilla issue and two vendor advisories, and the record maps the weakness to CWE-200. The CVSS vector provided by NVD is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Official resources