Description
Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an integer overflow in Firefox’s Networking: JAR component, which can cause a crash. The description does not indicate arbitrary code execution or privilege escalation, so the primary impact is limited to instability.

Affected Systems

Mozilla Firefox installations older than version 151 and ESR releases prior to 140.11, and Mozilla Thunderbird installations older than version 151 and ESR releases prior to 140.11, are affected.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. No explicit attack vector is provided in the CVE description; the likely attack vector is that an attacker could deliver a malicious JAR file over the network to trigger the overflow, potentially leading to a crash or denial of service in Firefox or Thunderbird.

Generated by OpenCVE AI on May 19, 2026 at 21:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install Firefox 151 or newer, or ESR 140.11 or later.
  • Install Thunderbird 151 or newer, or ESR 140.11 or later.
  • Remove or uninstall older Firefox binaries to prevent accidental use of the vulnerable component.
  • Remove or uninstall older Thunderbird binaries to prevent accidental use of the vulnerable component.
  • As a temporary measure, disable or block JAR file downloads and processing in Firefox and Thunderbird until the update is applied.

Generated by OpenCVE AI on May 19, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-190
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-680

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Integer overflow in the Networking: JAR component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:49.476Z

Reserved: 2026-05-19T12:29:50.365Z

Link: CVE-2026-8956

cve-icon Vulnrichment

Updated: 2026-05-19T16:39:14.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:51.943

Modified: 2026-05-20T14:31:07.807

Link: CVE-2026-8956

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:51Z

Links: CVE-2026-8956 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T21:30:14Z

Weaknesses