Description
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow flaw exists in Mozilla Firefox’s Widget: Win32 component. The CVE description states that the bug was addressed in Firefox 151 and Firefox ESR 140.11, indicating that earlier builds are vulnerable. The overflow could corrupt internal buffers or data structures if manipulated with malicious input, but the CVE does not assert an arbitrary code execution outcome.

Affected Systems

Mozilla Firefox users running any version older than 151 or earlier ESR releases before 140.11 are affected. The vulnerability is limited to the Widget: Win32 component within these builds.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, though no EPSS score is available and the issue is not listed in the CISA KEV catalog, implying that exploitation has not been observed in the wild. The attack vector is not explicitly stated; based on the description it is inferred to require access to the Widget: Win32 component, which suggests a local or privileged context rather than a purely remote attack.

Generated by OpenCVE AI on May 19, 2026 at 15:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 151, ESR 140.11, or a later release that includes the fix
  • If an upgrade cannot be performed immediately, disable the Widget: Win32 component via the browser’s configuration or preference settings to prevent it from loading
  • Monitor system and browser logs for indications of memory corruption or unexpected behavior that might signal exploitation

Generated by OpenCVE AI on May 19, 2026 at 15:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Integer overflow in the Widget: Win32 component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:47.774Z

Reserved: 2026-05-19T12:29:40.080Z

Link: CVE-2026-8949

cve-icon Vulnrichment

Updated: 2026-05-19T14:05:17.742Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:51.140

Modified: 2026-05-19T15:16:33.940

Link: CVE-2026-8949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:30:08Z

Weaknesses