Description
Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a logical flaw in the Application Update component that allows a malicious actor to gain elevated privileges on an affected system. Based on the description, it is inferred that an attacker who can influence the update process could cause the component to execute code with higher privileges than intended, potentially allowing installation of malware, modification of system settings, or unauthorized access to user data. The flaw relates to improper privilege validation and is represented by CWE‑269.

Affected Systems

Mozilla Firefox users running versions prior to Firefox 151 as well as Mozilla Thunderbird users prior to Thunderbird 151 are impacted. The issue is specific to the Application Update component within each product. No other vendors or versions are listed as affected.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, which suggests no known exploitation yet; its CVSS score of 8.8 indicates a high level of severity. However, the CVSS score of 8.8, combined with the privilege escalation path, indicates a meaningful risk; once patched, the risk is essentially eliminated. The likely attack vector is a local privilege escalation that could impact any user with the capability to trigger the update component, such as an administrator or a compromised web page; this vector is inferred from the description rather than explicitly stated.

Generated by OpenCVE AI on May 20, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox and Thunderbird to version 151 or newer to remove the flaw.
  • Ensure that the latest Mozilla security patches are automatically applied or manually installed from the official sources.
  • If an upgrade cannot be performed immediately, disable the automatic update feature for Firefox via group policy or manual configuration to prevent the compromised component from executing until a patch is available.

Generated by OpenCVE AI on May 20, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151. Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Application Update component. This vulnerability was fixed in Firefox 151.
Title Privilege escalation in the Application Update component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:37:12.685Z

Reserved: 2026-05-19T12:29:44.424Z

Link: CVE-2026-8952

cve-icon Vulnrichment

Updated: 2026-05-19T14:18:26.966Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T14:16:51.480

Modified: 2026-05-20T17:16:29.823

Link: CVE-2026-8952

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses
  • CWE-269

    Improper Privilege Management