Description
Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
Published: 2026-05-07
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Use‑after‑free in the DOM networking component is a memory‑management flaw (CWE‑416) combined with improper handling of reference‑counted objects (CWE‑825) that can be triggered by malformed network traffic. The defect permits an attacker to dereference freed memory, which may lead to memory corruption and, in some scenarios, arbitrary code execution. The description does not specify a confirmed exploitation path, but the nature of this use‑after‑free vulnerability indicates a significant risk if exploited.

Affected Systems

All Mozilla Firefox builds before version 150.0.2, including the ESR 140.10.2 and ESR 115.35.2 releases, as well as all Thunderbird builds before 150.0.2 and the ESR 140.10.2 version, are vulnerable. Users running any of these versions are affected until they upgrade to the patched releases.

Risk and Exploitability

The EPSS score is below 1%, indicating a very low exploitation probability, and the issue is not catalogued in the CISA KEV list, meaning there is no publicly known exploitation. The CVSS score of 7.3 places the vulnerability in the high severity range. While the primary attack vector is likely network traffic from a malicious web page, the precise exploitation conditions are not detailed in the CVE text; this inference is based on the general characteristics of the flaw rather than explicit documentation.

Generated by OpenCVE AI on May 9, 2026 at 03:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to 150.0.2 or later, or to the corresponding ESR 140.10.2 / 115.35.2 patch releases.
  • Upgrade Mozilla Thunderbird to 150.0.2 or the ESR 140.10.2 patch releases.
  • Ensure the browser and email client’s automatic update feature is enabled so that future security patches are applied promptly.

Generated by OpenCVE AI on May 9, 2026 at 03:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4575-1 firefox-esr security update
Debian DLA Debian DLA DLA-4582-1 thunderbird security update
Debian DSA Debian DSA DSA-6254-1 firefox-esr security update
Debian DSA Debian DSA DSA-6267-1 thunderbird security update
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2. Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
References

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, and Firefox ESR 115.35.2.
Title Use-after-free in the DOM: Networking component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-08T12:19:00.246Z

Reserved: 2026-05-07T12:45:04.220Z

Link: CVE-2026-8090

cve-icon Vulnrichment

Updated: 2026-05-07T13:48:59.592Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T13:16:13.967

Modified: 2026-05-08T20:08:50.323

Link: CVE-2026-8090

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T12:45:04Z

Links: CVE-2026-8090 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T03:30:24Z

Weaknesses