Vulnerability · NVD

CVE-2026-8974

HIGH 8.8 Published on 2026-05-19

Memory safety bugs present in Firefox ESR 140.10 and Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Attack vector : Network No privileges required

Show raw CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS 0.05% exploit very unlikely percentile 14.3%

Tracked apps referencing this CVE

For each app: the affected range, the fixing version, and where the tracked app stands today.

Mozilla Thunderbird Windows winget:Mozilla.Thunderbird

Affected <151.0.0 Fixed in 151.0.0 Latest tracked 151.0.1 patched

Vulnerable CPE configurations (2)

Vendor	Product	Platform	Versions	CPE 2.3 URI
mozilla	thunderbird All platforms (wildcard)	All platforms (wildcard)	<140.11	cpe:2.3:a:mozilla:thunderbird:::::esr:::*
mozilla	thunderbird All platforms (wildcard)	All platforms (wildcard)	<151.0.0	cpe:2.3:a:mozilla:thunderbird:::::-:::*

View on NVD ↗