Description
Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2.
Published: 2026-05-07
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Memory safety bugs were present in Firefox 150.0.1. These bugs caused evidence of memory corruption, and it is presumed that with sufficient effort they could be exploited to run arbitrary code. The vulnerability was addressed in Firefox 150.0.2 and Thunderbird 150.0.2.

Affected Systems

Mozilla Thunderbird 150.0.1 and Mozilla Firefox 150.0.1 are affected by memory safety bugs that could allow arbitrary code execution. Both products contain the flaws; the issue was resolved in version 150.0.2. No other affected releases are explicitly cited based on the provided data.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity. The EPSS score is < 1%, indicating a very low but non-zero likelihood of exploitation, and the vulnerability is not listed in CISA's KEV catalog, suggesting no known public exploits. The likely attack vector involves an attacker delivering crafted content such as malicious email attachments or other exploitative messages that trigger Thunderbird's memory corruption, allowing an attacker to gain arbitrary code execution in the Thunderbird process and potentially compromise the host system.

Generated by OpenCVE AI on May 18, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Thunderbird and Mozilla Firefox to version 150.0.2 or later, which includes the fix for the memory safety bugs.
  • If a timely update is not possible, avoid opening untrusted or suspicious email attachments while using Thunderbird 150.0.1 or Firefox 150.0.1.
  • Consider using a hardened remote email environment or an alternative email client that has already received the patch if the update cannot be applied immediately.

Generated by OpenCVE AI on May 18, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 08:30:00 +0000

Type Values Removed Values Added
References

Mon, 18 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2. Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2.
Title Memory safety bugs fixed in Thunderbird 150.0.2 Memory safety bugs fixed in Firefox 150.0.2
References

Tue, 12 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Fri, 08 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2. Memory safety bugs present in Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2 and Thunderbird 150.0.2.
Title Memory safety bugs fixed in Firefox 150.0.2 Memory safety bugs fixed in Thunderbird 150.0.2
References

Thu, 07 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-122

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-120
CWE-122
Vendors & Products Mozilla
Mozilla firefox

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2.
Title Memory safety bugs fixed in Firefox 150.0.2
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-18T07:32:31.553Z

Reserved: 2026-05-07T12:45:07.174Z

Link: CVE-2026-8093

cve-icon Vulnrichment

Updated: 2026-05-07T13:50:58.540Z

cve-icon NVD

Status : Modified

Published: 2026-05-07T13:16:14.317

Modified: 2026-05-18T08:16:15.137

Link: CVE-2026-8093

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T12:45:07Z

Links: CVE-2026-8093 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T09:30:22Z

Weaknesses