Description
Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This privilege escalation flaw in Mozilla Firefox and Thunderbird's WebRTC Audio/Video component permits an attacker to gain higher privileges within the browser by exploiting improper authorization controls. The vulnerability, fixed in Firefox 151 and Thunderbird 151, could allow code execution with elevated rights, enabling access to sensitive data or system resources. It maps to the listed improper authorization weaknesses (CWE‑269).

Affected Systems

Mozilla Firefox browsers older than version 151 and Mozilla Thunderbird before version 151 contain the vulnerable WebRTC module. All releases before 151 from both vendors are considered affected until the fix is applied.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the vulnerability is not listed in CISA’s KEV catalog. The EPSS score is < 1%, suggesting low exploitation likelihood. Based on the description, it is inferred that the attack vector involves delivering malicious content via an HTTP(S) request that activates the WebRTC component, making exploitation feasible through a compromised or malicious website.

Generated by OpenCVE AI on May 20, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mozilla Firefox to version 151 or later to apply the official fix.
  • Upgrade Mozilla Thunderbird to version 151 or later to apply the official fix.
  • If an upgrade cannot be performed immediately, disable WebRTC in the browser settings to prevent the vulnerable component from loading.
  • Use a separate, least-privileged user account for web browsing to limit the impact of a successful privilege escalation.

Generated by OpenCVE AI on May 20, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*
Vendors & Products Mozilla thunderbird

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151. Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
References

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-862

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Privilege escalation in the WebRTC: Audio/Video component. This vulnerability was fixed in Firefox 151.
Title Privilege escalation in the WebRTC: Audio/Video component
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-20T15:38:39.203Z

Reserved: 2026-05-19T12:30:19.409Z

Link: CVE-2026-8972

cve-icon Vulnrichment

Updated: 2026-05-19T14:30:10.922Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T14:16:53.753

Modified: 2026-05-20T17:16:31.407

Link: CVE-2026-8972

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:45:36Z

Weaknesses