CVE-2026-8947 - Vulnerability Details

- Use-after-free in the DOM: Bindings (WebIDL) component

Description

Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Published: 2026-05-19

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A use‑after‑free flaw, categorized as CWE-416 and CWE-825, exists in the DOM: Bindings (WebIDL) component used by Mozilla’s browser and mail applications. When the engine releases memory tied to a WebIDL object while a reference to that memory still exists, the flaw can corrupt that memory or, potentially, allow arbitrary code execution. The CVE description does not detail the exact consequence, but the nature of the flaw indicates that memory corruption is the core impact.

Affected Systems

Mozilla Firefox releases older than 151, older Firefox ESR builds before ESR 115.36 and ESR 140.11, and all Thunderbird releases older than 151 or before ESR 140.11 contain the vulnerability. Any newer release of these products removes the flaw.

Risk and Exploitability

The CVSS score is 7.3, indicating significant potential impact. The EPSS score of 0.00049 (less than 0.1%) indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog, so no widespread exploitation has been documented. The attack vector is not explicitly defined in the description; however, the typical scenario for use‑after‑free flaws in the browser would involve malicious web content processed by the renderer. Because the flaw can corrupt memory, it presents a high risk if an attacker can deliver suitable input.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`115.36`	unaffected	≤ 115.*
`140.11`	unaffected	≤ 140.*
`151`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`140.11`	unaffected	≤ 140.*
`151`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:firefox:::::esr:::*
	cpe:2.3:a:mozilla:thunderbird::::::::

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[115.36,115.*]`	unaffected	generic	—
`[140.11,140.*]`	unaffected	generic	—
`[151,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Mozilla Firefox to version 151 or newer, or to latest ESR 115.36 or ESR 140.11.
Update Mozilla Thunderbird to version 151 or newer, or to latest ESR 140.11.
Enable automatic updates to ensure future patches are applied promptly.
If a prompt upgrade is infeasible, consider disabling or restricting risky scripting features, such as disabling JavaScript on untrusted sites or enabling site isolation, to reduce exploitation likelihood.

Generated by OpenCVE AI on May 22, 2026 at 01:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-4592-1	firefox-esr security update
Debian DLA	DLA-4594-1	thunderbird security update
Debian DSA	DSA-6283-1	firefox-esr security update
Debian DSA	DSA-6288-1	thunderbird security update

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00065.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=2038439
https://nvd.nist.gov/vuln/detail/CVE-2026-8947
https://www.cve.org/CVERecord?id=CVE-2026-8947
https://www.mozilla.org/security/advisories/mfsa2026-46/
https://www.mozilla.org/security/advisories/mfsa2026-47/
https://www.mozilla.org/security/advisories/mfsa2026-48/
https://www.mozilla.org/security/advisories/mfsa2026-48/#CVE-2026-8947
https://www.mozilla.org/security/advisories/mfsa2026-50/
https://www.mozilla.org/security/advisories/mfsa2026-51/

History

Fri, 22 May 2026 00:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-825
References		https://nvd.nist.gov/vuln/detail/CVE-2026-8947 https://www.cve.org/CVERecord?id=CVE-2026-8947 https://www.mozilla.org/security/advisories/mfsa2026-48/#CVE-2026-8947
Metrics	threat_severity `None`	threat_severity `Important`

Tue, 19 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:firefox:::::esr:::* cpe:2.3:a:mozilla:thunderbird::::::::
Vendors & Products		Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description	Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.	Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References		https://www.mozilla.org/security/advisories/mfsa2026-50/ https://www.mozilla.org/security/advisories/mfsa2026-51/

Tue, 19 May 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Weaknesses		CWE-416
Vendors & Products		Mozilla Mozilla firefox
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 19 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Title		Use-after-free in the DOM: Bindings (WebIDL) component
References		https://bugzilla.mozilla.org/show_bug.cgi?id=2038439 https://www.mozilla.org/security/advisories/mfsa2026-46/ https://www.mozilla.org/security/advisories/mfsa2026-47/ https://www.mozilla.org/security/advisories/mfsa2026-48/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-05-19T12:29:37.800Z

Updated: 2026-05-19T17:10:46.663Z

Reserved: 2026-05-19T12:29:37.072Z

Link: CVE-2026-8947

Vulnrichment

Updated: 2026-05-19T14:15:06.141Z

NVD

Status : Analyzed

Published: 2026-05-19T14:16:50.910

Modified: 2026-05-19T18:47:52.620

Link: CVE-2026-8947

Redhat

Severity : Important

Publid Date: 2026-05-19T12:29:37Z

Links: CVE-2026-8947 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-22T02:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object