PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8974 Mozilla CVE debrief

CVE-2026-8974 is a high-severity Mozilla memory safety issue tied to Firefox and Thunderbird. The vendor and NVD describe evidence of memory corruption, with the possibility that exploitation could have led to arbitrary code execution. Mozilla released fixes in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. Because the CVSS vector includes user interaction, the main risk is on systems where users open or process untrusted content in affected builds.

Vendor
Mozilla
Product
Firefox
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-20
Advisory published
2026-05-19
Advisory updated
2026-05-20

Who should care

Organizations running Firefox or Thunderbird, especially desktop fleets, managed endpoints, help desks, and security teams responsible for browser and email client patching. Thunderbird users and any environment that delays end-user application updates should treat this as a priority item.

Technical summary

NVD classifies the issue as CWE-119 (memory safety). The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network-reachable exposure with no privileges required, but with user interaction needed. NVD’s affected CPEs cover Firefox ESR builds before 140.11, Firefox non-ESR builds before 151.0.0, Thunderbird ESR builds before 140.11, and Thunderbird non-ESR builds before 151.0.0. The vendor description states some bugs showed evidence of memory corruption and were presumed potentially exploitable for arbitrary code execution.

Defensive priority

High. This is a public, high-severity memory-corruption issue affecting widely deployed Mozilla client software and requiring prompt version-based remediation.

Recommended defensive actions

  • Upgrade Firefox to 151 or later, or Firefox ESR to 140.11 or later.
  • Upgrade Thunderbird to 151 or later, or Thunderbird ESR to 140.11 or later.
  • Verify installed versions across managed endpoints and remove or isolate any affected builds still in service.
  • Prioritize remediation for users who regularly open untrusted web content or email attachments/messages.
  • Track Mozilla advisories MFSA 2026-46, MFSA 2026-48, MFSA 2026-50, and MFSA 2026-51 for vendor guidance and any product-specific notes.

Evidence notes

Source corpus includes the NVD record for CVE-2026-8974, which lists Mozilla as the vendor, classifies the weakness as CWE-119, and provides the vulnerable version ranges and CVSS vector. The corpus also includes Mozilla vendor advisory links (MFSA 2026-46/48/50/51). The vendor description supplied in the prompt states the bugs were present in Thunderbird 140.10 and Thunderbird 150 and were fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11. No exploit code or advisory body text was used.

Official resources

Publicly disclosed on 2026-05-19 14:16:53.977Z and modified in the source record on 2026-05-20 18:13:14.840Z.