Description
Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Enterprise Policies component of Mozilla Firefox—and also in Thunderbird—allows a process to bypass normal permission checks and obtain higher privileges. The vulnerability is now fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Affected Systems

All Mozilla Firefox builds released prior to version 151 and all Firefox ESR builds released prior to 140.11, as well as all Thunderbird builds prior to version 151 and Thunderbird ESR builds prior to 140.11, are affected, regardless of the operating system in use.

Risk and Exploitability

The CVSS score is 8.8, EPSS score is 0.0003, indicating a very low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The advisory confirms that the flaw enables privilege escalation; however, the exact conditions required for exploitation are not disclosed, so the likelihood of successful exploitation cannot be quantified from the available data. The vulnerability also affects Thunderbird. The most reasonable inference is that the attack might involve local execution or a crafted Enterprise Policy file, but this is not explicitly stated.

Generated by OpenCVE AI on May 22, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or to Firefox ESR 140.11 or later.
  • Upgrade Mozilla Thunderbird to version 151 or to Thunderbird ESR 140.11 or later.
  • If an update cannot be applied immediately, disable the Enterprise Policies component in the browser’s configuration to prevent the flaw from being exercised.
  • Regularly review Mozilla security advisories for further updates or additional mitigations.

Generated by OpenCVE AI on May 22, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4592-1 firefox-esr security update
Debian DLA Debian DLA DLA-4594-1 thunderbird security update
Debian DSA Debian DSA DSA-6283-1 firefox-esr security update
Debian DSA Debian DSA DSA-6288-1 thunderbird security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Enterprise Policies component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Privilege escalation in the Enterprise Policies component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:37:58.532Z

Reserved: 2026-05-19T12:29:51.909Z

Link: CVE-2026-8957

cve-icon Vulnrichment

Updated: 2026-05-19T14:23:09.434Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T14:16:52.057

Modified: 2026-05-20T17:16:30.150

Link: CVE-2026-8957

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:52Z

Links: CVE-2026-8957 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T01:45:24Z

Weaknesses
  • CWE-266

    Incorrect Privilege Assignment

  • CWE-269

    Improper Privilege Management