Description
Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.
Published: 2026-05-07
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Mozilla reports an “Other issue in the WebRTC component” that has received a CVSS of 9.8, indicating a high‑impact flaw. The associated weakness is Code Injection (CWE‑94), suggesting that an attacker may be able to inject and execute code within the browser context. The official description does not disclose the precise attack mechanism, so the exact outcomes remain unspecified, but the severity rating indicates that, if exploited, the vulnerability could compromise the integrity of the affected system.

Affected Systems

Firefox Extended Support Releases and Thunderbird releases older than version 140.10.2 are impacted. Users continuing to run any ESR build prior to 140.10.2 or Thunderbird earlier than that version may encounter this issue in the WebRTC component.

Risk and Exploitability

The EPSS score is listed as less than 1%, implying a low probability of exploitation in the wild at the time of analysis. The vulnerability is not included in CISA’s KEV catalog, indicating no known publicly available exploits. The high CVSS score reflects the potential for serious impact, though the lack of publicly disclosed exploitation details means the real‑world risk is uncertain and appears low based on current evidence.

Generated by OpenCVE AI on May 9, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox ESR to 140.10.2 or a newer version to remove the flaw
  • Upgrade Thunderbird to 140.10.2 or newer to eliminate the vulnerability
  • If an immediate upgrade is not possible, disable WebRTC functionality via browser settings or group policy to mitigate exposure
  • Stay informed by reviewing Mozilla security advisories for any updates or additional recommendations

Generated by OpenCVE AI on May 9, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4575-1 firefox-esr security update
Debian DLA Debian DLA DLA-4582-1 thunderbird security update
Debian DSA Debian DSA DSA-6254-1 firefox-esr security update
Debian DSA Debian DSA DSA-6267-1 thunderbird security update
History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Sat, 09 May 2026 01:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 08 May 2026 23:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200

Fri, 08 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2. Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.
References

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Other issue in the WebRTC component. This vulnerability was fixed in Firefox ESR 140.10.2.
Title Other issue in the WebRTC component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T16:48:52.171Z

Reserved: 2026-05-07T12:45:07.849Z

Link: CVE-2026-8094

cve-icon Vulnrichment

Updated: 2026-05-08T22:39:45.910Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T13:16:14.430

Modified: 2026-05-11T15:12:23.117

Link: CVE-2026-8094

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-07T12:45:08Z

Links: CVE-2026-8094 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:00:14Z

Weaknesses