CVE-2026-8973 - Vulnerability Details

- Memory safety bugs fixed in Thunderbird 151

Description

Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.

Published: 2026-05-19

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Memory safety bugs present in Thunderbird 150 could corrupt data in memory; the CVE description notes that some bugs show evidence of memory corruption and are presumed capable of arbitrary code execution with enough effort. The vulnerability is addressed in Thunderbird 151 and Firefox 151.

Affected Systems

Mozilla Thunderbird and Mozilla Firefox are affected. The CVE indicates that Thunderbird 150 contains the bugs, and the fix was applied in Thunderbird 151. Exact supported versions beyond these are not detailed in the CVE data.

Risk and Exploitability

The EPSS score of <1% suggests a very low but nonzero likelihood of exploitation, and the CVSS score of 8.8 demonstrates high severity. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, a likely attack vector involves an attacker delivering malicious content, such as a crafted email attachment, which, when processed by Thunderbird, would trigger the vulnerable memory handling code, potentially allowing an unprivileged user to execute code with the privileges of the Thunderbird process.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`151`	unaffected	≤ *

Mozilla

Thunderbird

affected

Version	Status	Constraints
`151`	unaffected	≤ *

Configuration 1 [-]

OR	cpe:2.3:a:mozilla:firefox:::::-:::*
	cpe:2.3:a:mozilla:thunderbird:::::-:::*

No data.

Vendor Product Confidence Versions

Mozilla

Firefox

100%

Version	Status	Scheme	Platform
`[151,*]`	unaffected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Mozilla Thunderbird 151 or newer, and Firefox 151 or newer, to resolve the memory safety bugs.
If an upgrade cannot be performed immediately, avoid opening attachments or content from unknown or untrusted senders to reduce the risk of triggering the vulnerable code paths.
Employ email filtering or antivirus solutions to scan incoming messages for malicious payloads before they are processed by Thunderbird.

Generated by OpenCVE AI on May 20, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1362365%2C1860538%2C1929005%2C1983353%2C1998526%2C2023271%2C2023943%2C2024244%2C2024260%2C2024443%2C2024665%2C2024774%2C2024916%2C2025346%2C2025357%2C2025406%2C2025434%2C2025488%2C2025496%2C2025942%2C2025947%2C2025968%2C2026279%2C2027159%2C2027239%2C2027276%2C2027308%2C2027310%2C2027324%2C2027329%2C2027363%2C2027381%2C2027382%2C2027383%2C2028274%2C2028884%2C2029060%2C2029065%2C2029068%2C2029281%2C2029293%2C2029297%2C2029303%2C2029439%2C2029448%2C2029703%2C2029720%2C2029721%2C2029723%2C2029770%2C2029771%2C2029782%2C2029818%2C2029885%2C2030100%2C2030379%2C2030385%2C2030979%2C2031119%2C2031122%2C2034119%2C2034791%2C2035209%2C2036666%2C2037986
https://www.mozilla.org/security/advisories/mfsa2026-46/
https://www.mozilla.org/security/advisories/mfsa2026-50/

History

Wed, 20 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla thunderbird
CPEs		cpe:2.3:a:mozilla:firefox:::::-:::* cpe:2.3:a:mozilla:thunderbird:::::-:::*
Vendors & Products		Mozilla thunderbird

Wed, 20 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 19 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-416 CWE-787

Tue, 19 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description	Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151.	Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Title	Memory safety bugs fixed in Firefox 151	Memory safety bugs fixed in Thunderbird 151
References		https://www.mozilla.org/security/advisories/mfsa2026-50/

Tue, 19 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 19 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
Weaknesses		CWE-416 CWE-787
Vendors & Products		Mozilla Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type	Values Removed	Values Added
Description		Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151.
Title		Memory safety bugs fixed in Firefox 151
References		https://bugzilla.mozilla.org/buglist.cgi?bug_id=1362365%2C1860538%2C1929005%2C1983353%2C1998526%2C2023271%2C2023943%2C2024244%2C2024260%2C2024443%2C2024665%2C2024774%2C2024916%2C2025346%2C2025357%2C2025406%2C2025434%2C2025488%2C2025496%2C2025942%2C2025947%2C2025968%2C2026279%2C2027159%2C2027239%2C2027276%2C2027308%2C2027310%2C2027324%2C2027329%2C2027363%2C2027381%2C2027382%2C2027383%2C2028274%2C2028884%2C2029060%2C2029065%2C2029068%2C2029281%2C2029293%2C2029297%2C2029303%2C2029439%2C2029448%2C2029703%2C2029720%2C2029721%2C2029723%2C2029770%2C2029771%2C2029782%2C2029818%2C2029885%2C2030100%2C2030379%2C2030385%2C2030979%2C2031119%2C2031122%2C2034119%2C2034791%2C2035209%2C2036666%2C2037986 https://www.mozilla.org/security/advisories/mfsa2026-46/

Subscriptions

Mozilla Firefox Thunderbird

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2026-05-19T12:30:21.692Z

Updated: 2026-05-20T15:39:05.247Z

Reserved: 2026-05-19T12:30:21.005Z

Link: CVE-2026-8973

Vulnrichment

Updated: 2026-05-19T15:12:07.761Z

NVD

Status : Analyzed

Published: 2026-05-19T14:16:53.860

Modified: 2026-05-20T17:50:51.490

Link: CVE-2026-8973

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-19T19:30:12Z

Weaknesses

CWE-119

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object