Description
Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Published: 2026-01-13
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption that could allow code execution
Action: Patch ASAP
AI Analysis

Impact

The vulnerability is an incorrect boundary condition in the graphics component. The flaw can cause memory corruption during rendering operations, potentially leading to arbitrary code execution or process termination. It is classified as a buffer overflow (CWE‑119). No additional detail about the exploitation vector is given, but the nature of the flaw suggests it could be triggered by rendering manipulated graphics data.

Affected Systems

Affected products include Mozilla Firefox, Firefox ESR, Thunderbird, and Thunderbird ESR. Versions prior to Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7 are vulnerable. The bug was fixed in the mentioned releases.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, implying a low but nonzero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote through rendering malicious content; however, exact conditions are not specified. As such, the risk remains moderate, and patching is recommended.

Generated by OpenCVE AI on April 15, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to one of the fixed versions (Firefox 147, Firefox ESR 115.32 or 140.7, Thunderbird 147, Thunderbird 140.7).
  • If an upgrade is not immediately possible, disable graphics hardware acceleration in the application's settings to reduce exposure to the bug.
  • Keep the system patched and monitor Mozilla security advisories for any additional updates.

Generated by OpenCVE AI on April 15, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4439-1 firefox-esr security update
Debian DLA Debian DLA DLA-4442-1 thunderbird security update
Debian DSA Debian DSA DSA-6101-1 firefox-esr security update
Debian DSA Debian DSA DSA-6103-1 thunderbird security update
Ubuntu USN Ubuntu USN USN-7991-1 Thunderbird vulnerabilities
History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7. Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501

Thu, 15 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7. Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, and Thunderbird < 140.7.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Mozilla firefox Esr
Vendors & Products Mozilla
Mozilla firefox
Mozilla firefox Esr

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-501
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Graphics component. This vulnerability affects Firefox < 147, Firefox ESR < 115.32, and Firefox ESR < 140.7.
Title Incorrect boundary conditions in the Graphics component
References

Subscriptions

Mozilla Firefox Firefox Esr Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:51:57.056Z

Reserved: 2026-01-13T13:30:57.209Z

Link: CVE-2026-0886

cve-icon Vulnrichment

Updated: 2026-01-13T20:27:33.852Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:39.140

Modified: 2026-04-13T15:17:17.743

Link: CVE-2026-0886

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-13T13:30:57Z

Links: CVE-2026-0886 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses