Description
Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Published: 2026-05-19
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Memory safety bugs present in Firefox 150 could corrupt data in memory; the CVE description notes that some bugs show evidence of memory corruption and are presumed capable of arbitrary code execution with enough effort. The vulnerability is addressed in Firefox 151 and Thunderbird 151.

Affected Systems

Mozilla Thunderbird and Mozilla Firefox are affected. The CVE indicates that Firefox 150 contains the bugs, and the fix was applied in Firefox 151 and Thunderbird 151. Exact supported versions beyond these are not detailed in the CVE data.

Risk and Exploitability

The EPSS score of <1% suggests a very low but nonzero likelihood of exploitation, and the CVSS score of 8.8 demonstrates high severity. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, a likely attack vector involves an attacker delivering malicious content, such as a crafted webpage or web content, which, when processed by Firefox, would trigger the vulnerable memory handling code, potentially allowing an unprivileged user to execute code with the privileges of the Firefox process.

Generated by OpenCVE AI on May 26, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Mozilla Thunderbird 151 or newer, and Firefox 151 or newer, to resolve the memory safety bugs.
  • If an upgrade cannot be performed immediately, avoid opening attachments or content from unknown or untrusted senders to reduce the risk of triggering the vulnerable code paths.
  • Employ email filtering or antivirus solutions to scan incoming messages for malicious payloads before they are processed by Thunderbird.

Generated by OpenCVE AI on May 26, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151. Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Title Memory safety bugs fixed in Thunderbird 151 Memory safety bugs fixed in Firefox 151

Wed, 20 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla thunderbird
CPEs cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*
Vendors & Products Mozilla thunderbird

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-416
CWE-787

Tue, 19 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151. Memory safety bugs present in Thunderbird 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
Title Memory safety bugs fixed in Firefox 151 Memory safety bugs fixed in Thunderbird 151
References

Tue, 19 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Mozilla
Mozilla firefox
Weaknesses CWE-416
CWE-787
Vendors & Products Mozilla
Mozilla firefox

Tue, 19 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description Memory safety bugs present in Firefox 150. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 151.
Title Memory safety bugs fixed in Firefox 151
References

Subscriptions

Mozilla Firefox Thunderbird
cve-icon MITRE

Status: PUBLISHED

Assigner: mozilla

Published:

Updated: 2026-05-26T17:47:40.176Z

Reserved: 2026-05-19T12:30:21.005Z

Link: CVE-2026-8973

cve-icon Vulnrichment

Updated: 2026-05-19T15:12:07.761Z

cve-icon NVD

Status : Modified

Published: 2026-05-19T14:16:53.860

Modified: 2026-05-26T18:16:57.527

Link: CVE-2026-8973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T20:00:15Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer