CVE-2026-8972 Mozilla CVE debrief

Who should care

Security teams and endpoint admins running Mozilla Firefox or Thunderbird should prioritize this if any systems remain on versions earlier than 151.0.0. It is especially relevant where browsers or mail clients are broadly deployed and where WebRTC features are in use.

Technical summary

The available source data describes a privilege-escalation flaw in Firefox and Thunderbird’s WebRTC: Audio/Video component. NVD maps the issue to CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and associates CWE-269. The vendor references point to Mozilla Bugzilla tracking and Mozilla security advisories, and the CVE record says the issue was fixed in Firefox 151 and Thunderbird 151.

Defensive priority

High

Recommended defensive actions

• Upgrade Mozilla Firefox to 151 or later.
• Upgrade Mozilla Thunderbird to 151 or later.
• Verify fleet inventories for Firefox and Thunderbird versions earlier than 151.0.0.
• Prioritize remediation on systems that use WebRTC features or are exposed to higher-risk browsing and messaging workflows.
• Use the linked Mozilla advisories and NVD record to validate affected versions and track any follow-up updates.

Evidence notes

This debrief is based only on the supplied NVD source item and official links. The source metadata lists Mozilla as the vendor, a privilege-escalation issue in the WebRTC: Audio/Video component, NVD severity of 8.8 High, CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and CWE-269. The referenced Mozilla Bugzilla entry and two Mozilla security advisories support the vendor-side disclosure trail. The supplied record states the fix landed in Firefox 151 and Thunderbird 151, with vulnerable CPE ranges ending before 151.0.0.

Official resources