Description
Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
Published: 2026-05-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, it is inferred that the audio and video playback component has incorrect boundary checks, which can allow the parser to read beyond the intended buffer when processing malformed media files. While the update does not explicitly mention a crash or data leak, such an over‑read can cause a memory corruption event that may lead the application to crash or expose unexpected data.

Affected Systems

The vulnerability affects all releases of Mozilla Firefox and Thunderbird that use the legacy audio/video playback component before the patch was applied. Specifically, any version of Firefox older than 150, any version of Thunderbird older than 150, any ESR 115.x release older than 115.35.2, and any ESR 140.x release older than 140.10.1 is susceptible. Users should verify that their build precedes those fixed versions and apply the corresponding update.

Risk and Exploitability

The EPSS score is < 1% and the issue is not listed in CISA’s KEV catalog, so the current exploitation probability is low. The CVSS score of 9.8 indicates a critical severity, confirming that memory corruption in a browser component is a high‑risk vulnerability. Based on the description, it is inferred that the likely attack vector is delivering a malformed media file via a webpage or malicious download, potentially triggering a crash or data leak. The risk is elevated for environments that routinely encounter untrusted media content, and timely remediation is advised.

Generated by OpenCVE AI on May 11, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to at least Firefox 150 and Thunderbird 150, or to the respective ESR release (Firefox 115.35.2, Firefox 140.10.1, or Thunderbird 140.10.1) or newer for either product.
  • If an ESR branch cannot be updated, migrate to a newer non‑ESR release of Firefox or Thunderbird that contains the security fix.
  • Until a patch is applied, restrict or disable playback from untrusted media sources via security settings or group policy.
  • Consider disabling the legacy audio/video playback engine completely if media playback is not required.

Generated by OpenCVE AI on May 11, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Sat, 09 May 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126
CWE-787

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-754
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-126
CWE-787

Thu, 07 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-127

Thu, 07 May 2026 16:30:00 +0000

Type Values Removed Values Added
References

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Firefox ESR 115.35.2. Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.
Weaknesses CWE-119
CWE-127
References

Thu, 07 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox ESR 140.10.2 and Firefox ESR 115.35.2. Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, and Firefox ESR 115.35.2.
References

Thu, 07 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox ESR 140.10.2 and Firefox ESR 115.35.2.
Title Incorrect boundary conditions in the Audio/Video: Playback component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-08T22:33:49.148Z

Reserved: 2026-05-07T12:45:05.120Z

Link: CVE-2026-8091

cve-icon Vulnrichment

Updated: 2026-05-08T22:33:37.624Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T13:16:14.087

Modified: 2026-05-11T15:20:21.330

Link: CVE-2026-8091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:30:05Z

Weaknesses