Description
Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An integer overflow flaw exists in the Widget: Win32 component of Mozilla Firefox and Thunderbird. The bug was patched in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11, meaning earlier releases remain vulnerable. The overflow could corrupt internal buffers or data structures when leveraged, potentially leading to memory corruption but the description does not indicate arbitrary code execution.

Affected Systems

Users running any version of Firefox or Thunderbird older than the patched releases are affected. The vulnerability is confined to the Widget: Win32 component within these products. ESR builds remain vulnerable until the specified ESR release numbers.

Risk and Exploitability

The CVSS score of 7.5 signals a high severity. No EPSS score is provided and the issue is not listed in the CISA KEV catalog, suggesting no known exploitation in the wild. The attack vector is not explicitly stated; based on the component involved it is inferred that exploitation would likely require the ability to provide crafted input to the component, which may entail local or privileged context or user interaction to load the widget.

Generated by OpenCVE AI on May 19, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Firefox 151 or newer, Firefox ESR 140.11 or newer, Thunderbird 151 or newer, Thunderbird 140.11 or newer
  • If an upgrade cannot be performed immediately, disable the Widget: Win32 component through the browser’s configuration or preference settings to prevent it from loading
  • Monitor system and browser logs for indications of memory corruption or unexpected behavior that might signal exploitation

Generated by OpenCVE AI on May 19, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Integer overflow in the Widget: Win32 component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:47.774Z

Reserved: 2026-05-19T12:29:40.080Z

Link: CVE-2026-8949

cve-icon Vulnrichment

Updated: 2026-05-19T14:05:17.742Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:51.140

Modified: 2026-05-20T14:49:05.930

Link: CVE-2026-8949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T19:00:12Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound