CVE-2026-8968 Mozilla CVE debrief

Who should care

Administrators and users running Mozilla Firefox or Thunderbird, especially systems on the affected release families listed in the NVD CPE criteria and Mozilla advisories.

Technical summary

NVD classifies this issue as CVSS 3.1 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-reachable availability impact with no privileges or user interaction required. The weakness is mapped to CWE-400, and the published description attributes the failure to an invalid pointer in the Audio/Video: Web Codecs component, resulting in denial of service. NVD lists vulnerable Firefox and Thunderbird release ranges, and Mozilla advisories document the fixes in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Defensive priority

High. This is a remote, unauthenticated availability issue in widely deployed browser and mail client software, so patching should be prioritized soon after validation.

Recommended defensive actions

• Update Firefox to 151 or later, or Firefox ESR to 140.11 or later.
• Update Thunderbird to 151 or later, or Thunderbird ESR to 140.11 or later.
• Verify deployed versions against the NVD affected CPE ranges before scheduling remediation.
• Track Mozilla security advisories linked in the NVD record for product-specific guidance.
• If patching is delayed, reduce exposure by limiting unnecessary use of affected clients until remediation is complete.

Evidence notes

Supported by the NVD record for CVE-2026-8968, which publishes CVSS 3.1 7.5 HIGH, CWE-400, and vulnerable Mozilla Firefox/Thunderbird CPE criteria. Mozilla vendor advisory links are included in the source corpus and identify the fixed releases. The CVE publishedAt timestamp supplied here is 2026-05-19T14:16:53.277Z; the modifiedAt timestamp is 2026-05-20T14:56:28.700Z.

Official resources