Description
Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from incorrect boundary checks in the audio/video component of Mozilla Firefox and Thunderbird, leading to an integer overflow. The flaw was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151 and Thunderbird 140.11. The advisory does not specify the exact impact, but the CVSS score of 7.5 indicates a high severity.

Affected Systems

All installations of Mozilla Firefox older than version 151, and all ESR releases before 140.11, as well as all installations of Mozilla Thunderbird older than version 151 or ESR releases before 140.11, are affected. The flaw exists across all supported operating systems, so any user running a legacy version of Firefox or Thunderbird is at risk.

Risk and Exploitability

Exploit availability data is not published; the EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog. The high CVSS score indicates significant potential impact, and the flaw resides in media handling code that is executed for every media stream. The likely attack vector, based on the nature of the component, is remote via delivery of a crafted media file (for example, embedded in a malicious web page or email attachment). Because no public exploit is known, the exact likelihood of exploitation remains uncertain, but the risk is considered high enough to warrant prompt mitigation.

Generated by OpenCVE AI on May 22, 2026 at 02:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151, the ESR 140.11 release, or any newer version to receive the fix for the integer overflow.
  • Upgrade Mozilla Thunderbird to version 151, the ESR 140.11 release, or any newer version to receive the fix for the integer overflow.
  • Ensure automatic updates are enabled or use an enterprise software management tool to deploy the latest Firefox and Thunderbird versions on all endpoints.
  • If an upgrade is not immediately possible, temporarily reduce exposure by disabling audio and video processing in Firefox or Thunderbird preferences, noting that this may impact user experience.

Generated by OpenCVE AI on May 22, 2026 at 02:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Incorrect boundary conditions, integer overflow in the Audio/Video component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Incorrect boundary conditions, integer overflow in the Audio/Video component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:48.872Z

Reserved: 2026-05-19T12:29:47.489Z

Link: CVE-2026-8954

cve-icon Vulnrichment

Updated: 2026-05-19T14:16:00.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:51.700

Modified: 2026-05-19T18:42:57.803

Link: CVE-2026-8954

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:48Z

Links: CVE-2026-8954 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:15:06Z

Weaknesses