Description
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Widget: Win32 component allows a malicious page to bypass the browser sandbox by exploiting incorrect boundary checks. This is an instance of buffer overrun and improper input validation (CWE-119), unchecked input bounds (CWE-20), unsafe code path selection (CWE-653), and insecure code path selection (CWE-693). The bug can lead to execution with higher privileges than the sandbox grants, potentially compromising the confidentiality, integrity, and availability of the host system. The vulnerability carries a CVSS score of 9.6. The vulnerability has been fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

Affected Systems

Mozilla Firefox, all builds prior to Firefox 151 and Firefox ESR 140.11, and Mozilla Thunderbird, all builds prior to Thunderbird 151 and Thunderbird 140.11, were affected. The security update was released for Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11 and later versions.

Risk and Exploitability

The vulnerability has a CVSS score of 9.6, indicating critical severity. EPSS score is 0.00083, indicating a very low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, originating from a malicious web page or content delivered through the affected component. The risk is elevated due to the potential for sandbox escape, but the exploitation probability remains very low.

Generated by OpenCVE AI on May 22, 2026 at 02:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or newer
  • Upgrade Mozilla Firefox ESR to 140.11 or newer
  • Upgrade Mozilla Thunderbird to version 151 or newer
  • If an update cannot be applied immediately, restrict exposure to untrusted content by disabling the Widget: Win32 component or using a hardened sandbox configuration

Generated by OpenCVE AI on May 22, 2026 at 02:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-653
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-693
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
CWE-20

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-19T17:10:50.516Z

Reserved: 2026-05-19T12:29:54.802Z

Link: CVE-2026-8959

cve-icon Vulnrichment

Updated: 2026-05-19T16:07:03.195Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:52.280

Modified: 2026-05-20T14:28:29.307

Link: CVE-2026-8959

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T12:29:55Z

Links: CVE-2026-8959 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:15:06Z

Weaknesses