CRITICAL🇵🇱 Wersja polska

CVE-2026-8956

CVSS 9.8v3.1pub. 2026-05-19upd. 2026-05-20

Integer overflow in the Networking: JAR component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.

🤖 AI Analysis
How it works

The flaw consists of an integer overflow in the component responsible for handling network resources in JAR (Java Archive) format. Integer value overflow can lead to incorrect calculations regarding buffer sizes or memory pointers, which can then be exploited by an attacker to execute malicious code. The attack requires no authentication or user interaction, and the attack vector is network-based.

Impact

An attacker can gain full control over system confidentiality, integrity, and availability, including potentially executing arbitrary code (RCE) in the context of the vulnerable application.

Mitigation & patch

Software should be updated to Firefox 151, Firefox ESR 140.11, Thunderbird 151, or Thunderbird 140.11, in which the vulnerability has been fixed.

Who is affected

Mozilla Firefox versions before 151 and Firefox ESR versions before 140.11, Mozilla Thunderbird versions before 151 and Thunderbird ESR versions before 140.11.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 140.11.0< 151.0.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 140.11< 151.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...