CRITICAL🇵🇱 Wersja polska

CVE-2026-8091

CVSS 9.8v3.1pub. 2026-05-07upd. 2026-06-30

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.

🤖 AI Analysis
How it works

The error results from lack of proper boundary condition control during audio/video data processing (Playback component). Improper validation of input data ranges can lead to unexpected application behavior, such as access outside the permitted memory area. The attack is possible remotely, requires no authentication or user interaction, making it particularly dangerous.

Impact

An attacker can gain full control over the confidentiality, integrity, and availability of the system, including potentially executing arbitrary code in the context of the vulnerable application. In the worst case, system takeover or installation of malicious software is possible.

Mitigation & patch

Software should be updated as soon as possible to the following versions containing the patch: Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2. Patches are available through Mozilla's automatic update mechanism and on the vendor's official websites.

Who is affected

Mozilla Firefox versions prior to 150, Mozilla Firefox ESR versions prior to 140.10.1 and prior to 115.35.2, Mozilla Thunderbird versions prior to 150 and prior to 140.10.1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 115.35.2140.0 – 140.10.1 (bez)
  • Mozilla Thunderbird

    APP
    Mozilla
    140.0 – 140.10.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...