Description
Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Enterprise Policies component of Mozilla Firefox allows a process to bypass normal permission checks and obtain higher privileges. The description does not specify how the exploitation occurs, but the elevated authority could be used to alter browser configuration or install extensions with malicious intent.

Affected Systems

All Mozilla Firefox builds released prior to version 151 and all Firefox ESR builds released prior to 140.11 are affected, regardless of the operating system in use.

Risk and Exploitability

The CVSS score is 6.5, EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The advisory confirms that the flaw enables privilege escalation; however, the exact conditions required for exploitation are not disclosed, so the likelihood of successful exploitation cannot be quantified from the available data. The most reasonable inference is that the attack might involve local execution or a crafted Enterprise Policy file, but this is not explicitly stated.

Generated by OpenCVE AI on May 19, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or to Firefox ESR 140.11 or later.
  • If an update cannot be applied immediately, disable the Enterprise Policies component in the browser’s configuration to prevent the flaw from being exercised.
  • Regularly review Mozilla security advisories for further updates or additional mitigations.

Generated by OpenCVE AI on May 19, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Privilege escalation in the Enterprise Policies component
References

Subscriptions

Mozilla Firefox
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:49.812Z

Reserved: 2026-05-19T12:29:51.909Z

Link: CVE-2026-8957

cve-icon Vulnrichment

Updated: 2026-05-19T14:23:09.434Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T14:16:52.057

Modified: 2026-05-19T15:16:35.010

Link: CVE-2026-8957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T16:45:06Z

Weaknesses