Description
Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sandbox escape due to use‑after‑free in the Disability Access APIs component allows an attacker to break out of the browser sandbox and execute arbitrary code. The vulnerability arises when the component accesses memory that has already been freed, creating an unintended reference that can be exploited to bypass sandbox enforcement. This bug corresponds to CWE‑416 and also involves CWE‑825, which concerns improper handling of the accessibility API. The impact is that code can run with the privileges of the browser process, potentially enabling access to sensitive local data or system resources.

Affected Systems

The vulnerability affects Mozilla Firefox on all releases prior to Firefox 151. Firefox ESR 115.36 and ESR 140.11 are already fixed. Users of these versions should consider them exposed until the update is applied. Thunderbird users on versions prior to Thunderbird 151 and Thunderbird 140.11 are also affected until those releases are installed.

Risk and Exploitability

The CVSS score is 9.6, indicating critical severity. Official advisories indicate the issue was addressed in the aforementioned releases and there is no current listing in the CISA KEV catalog. The EPSS score is 0.00043, indicating an extremely low but non‑zero exploitation probability. The likely attack vector is local, requiring an ability to trigger the Disability Access APIs—such as from malicious web content or a compromised accessibility service. Given the lack of public exploitation reports, the current risk remains uncertain but is mitigated by applying the vendor‑supplied patch.

Generated by OpenCVE AI on May 22, 2026 at 02:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Firefox to a fixed release, such as Fx 151 or any later ESR version (115.36, 140.11, or newer).
  • Upgrade Thunderbird to a fixed release, such as TB 151 or any later ESR version (140.11, or newer).
  • If upgrading is not immediately possible, disable or limit the Disability Access APIs by turning off accessibility features in Firefox’s Preferences → Language & Appearance → Accessibility; similarly disable accessibility in Thunderbird’s equivalent settings.
  • Continuously monitor Mozilla security advisories and apply subsequent patches as soon as they become available.

Generated by OpenCVE AI on May 22, 2026 at 02:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11. Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to use-after-free in the Disability Access APIs component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, and Firefox ESR 140.11.
Title Sandbox escape due to use-after-free in the Disability Access APIs component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:48.519Z

Reserved: 2026-05-19T12:29:46.018Z

Link: CVE-2026-8953

cve-icon Vulnrichment

Updated: 2026-05-19T16:01:55.914Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:51.593

Modified: 2026-05-19T18:45:32.087

Link: CVE-2026-8953

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:46Z

Links: CVE-2026-8953 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:15:06Z

Weaknesses