Description
Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves incorrect boundary checking in the Web Codecs component, which can lead to memory corruption such as integer overrun or underread. Based on the description, it is inferred that a crafted codec stream delivered by a malicious web page could trigger the flaw, potentially causing a crash or, depending on the memory layout, enabling an attacker to execute code. The description itself does not confirm arbitrary code execution, but the nature of the memory corruption makes this outcome plausible.

Affected Systems

All versions of Mozilla Firefox older than 151, including Firefox ESR 115.36 and ESR 140.11, are affected, as are all versions of Thunderbird older than 151, including Thunderbird ESR 140.11. Users running those releases and accessing the Web Codecs API in web pages that handle media streams may be at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score of 0.037% indicates very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a remote malicious web page that delivers a specially crafted Web Codec payload, constituting a remote attack scenario. While the defect can cause memory corruption, no public exploit has been documented, so real‑world exploitation risk remains uncertain pending further analysis.

Generated by OpenCVE AI on May 22, 2026 at 01:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or newer, or to Firefox ESR 115.36 or ESR 140.11, and upgrade Thunderbird to version 151 or ESR 140.11 to receive the official fix.
  • If an upgrade is not possible, disable the Web Codecs API by setting dom.webcodecs.enabled to false in about:config or via an enterprise policy to block the vulnerable functionality.
  • Continuously monitor Mozilla security advisories and apply subsequent patches as they become available.

Generated by OpenCVE AI on May 22, 2026 at 01:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-787
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11. Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-129

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions in the Audio/Video: Web Codecs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Title Incorrect boundary conditions in the Audio/Video: Web Codecs component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:45.651Z

Reserved: 2026-05-19T12:29:35.532Z

Link: CVE-2026-8946

cve-icon Vulnrichment

Updated: 2026-05-19T14:11:24.928Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:50.800

Modified: 2026-05-19T18:50:01.003

Link: CVE-2026-8946

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-19T12:29:36Z

Links: CVE-2026-8946 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:00:13Z

Weaknesses