Description
Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.
Published: 2026-05-07
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the DOM networking component of Mozilla Firefox. This memory management error can allow an attacker to trigger a use‑after‑free condition, potentially leading to arbitrary code execution or other severe memory corruption effects. It is classified as CWE‑416, which often results in rapid and high‑impact exploitation vectors when combined with network‑driven input.

Affected Systems

The vulnerability affects all Mozilla Firefox releases prior to 150.0.2, including the Firefox ESR editions up to 140.10.2 and 115.35.2. Users running any of these versions are exposed until they upgrade to the patched releases.

Risk and Exploitability

No EPSS information is available and the vulnerability is not listed in the CISA KEV catalog, indicating limited publicly known exploitation data. However, because the flaw lies in a core networking component and can be invoked via malicious web content, the risk of exploitation remains significant. The CVSS score of 7.3 reflects a high severity level, suggesting that an exploitation could result in full compromise of the affected client system.

Generated by OpenCVE AI on May 7, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 150.0.2 or later, or to the corresponding ESR 140.10.2 / 115.35.2 patch releases.
  • Ensure the browser’s automatic update feature is enabled so that future security patches are applied promptly.
  • If an upgrade is not immediately feasible, restrict the browser’s network access or enable strict content‑security policies to limit exposure to potentially malicious web content.

Generated by OpenCVE AI on May 7, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.
Title Use-after-free in the DOM: Networking component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-07T13:49:45.916Z

Reserved: 2026-05-07T12:45:04.220Z

Link: CVE-2026-8090

cve-icon Vulnrichment

Updated: 2026-05-07T13:48:59.592Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-07T13:16:13.967

Modified: 2026-05-07T15:16:11.480

Link: CVE-2026-8090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T16:00:12Z

Weaknesses