Description
Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
Published: 2026-01-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the Service Workers component of the browser’s Document Object Model (DOM) implementation. It can be triggered by malicious content that exploits the component’s resource handling, leading to a denial of service where the browser becomes unresponsive and users are unable to interact with web content or the application itself.

Affected Systems

Mozilla Firefox and Mozilla Thunderbird are impacted. All versions prior to Firefox 147 and Thunderbird 147 are vulnerable, as the issue was fixed in these releases. Any installation of earlier versions that still contain the original Service Workers implementation is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves a malicious website or script that registers a Service Worker to exhaust resources or repeatedly manipulate the DOM, causing the browser to freeze. The attack would typically require a user to visit or interact with such content, and does not appear to allow remote code execution or privilege escalation beyond the affected application.

Generated by OpenCVE AI on April 15, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to version 147 or later.
  • Upgrade Thunderbird to version 147 or later.
  • Disable Service Workers for untrusted origins if an immediate upgrade is not possible.

Generated by OpenCVE AI on April 15, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147. Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Thu, 15 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147. Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147 and Thunderbird < 147.
References

Wed, 14 Jan 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Wed, 14 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 13 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 13 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Denial-of-service in the DOM: Service Workers component. This vulnerability affects Firefox < 147.
Title Denial-of-service in the DOM: Service Workers component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-04-13T13:52:05.389Z

Reserved: 2026-01-13T13:30:58.498Z

Link: CVE-2026-0889

cve-icon Vulnrichment

Updated: 2026-01-13T20:30:23.911Z

cve-icon NVD

Status : Modified

Published: 2026-01-13T14:16:39.437

Modified: 2026-04-13T15:17:18.280

Link: CVE-2026-0889

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-13T13:30:58Z

Links: CVE-2026-0889 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:15:10Z

Weaknesses