Description
Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Security component of Mozilla Firefox allows a malicious actor to obtain higher privileges than intended, potentially enabling the execution of actions restricted to privileged users. This type of weakness can lead to unauthorized control over the system or the web browser, compromising confidentiality, integrity, and availability at the application level.

Affected Systems

Any user running Mozilla Firefox versions prior to 151 or the ESR 140.11 release, or Mozilla Thunderbird versions prior to 151 or the ESR 140.11 release, is affected. The vulnerability applies to all platforms where these older releases are installed.

Risk and Exploitability

The CVSS score is 8.8, the EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local, requiring the attacker to run malicious code within the browser context to exploit the privilege‑escalation path. Exploitation would require local code execution or a user to visit a malicious web page that triggers the flaw. The risk remains significant because elevated privileges can bypass security controls, but the absence of publicly reported exploitation or a known exploit reduces immediate threat yet mandates prompt remediation.

Generated by OpenCVE AI on May 20, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or later, or to the ESR 140.11 release or newer.
  • Upgrade Mozilla Thunderbird to version 151 or later, or to the ESR 140.11 release or newer.
  • Enforce usage of the fixed releases through enterprise policy or script that blocks older versions from being run.
  • If an upgrade is pending, disable browser extensions or features that could trigger the privilege escalation until the fix is applied.

Generated by OpenCVE AI on May 20, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11. Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
References

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the Security component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
Title Privilege escalation in the Security component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:38:16.007Z

Reserved: 2026-05-19T12:30:16.497Z

Link: CVE-2026-8970

cve-icon Vulnrichment

Updated: 2026-05-19T14:21:47.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T14:16:53.500

Modified: 2026-05-20T17:34:49.203

Link: CVE-2026-8970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses