External risk intelligence

Attackers can take over Firefox and Thunderbird to steal data or disrupt services.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-8091

A critical flaw in Firefox and Thunderbird allows attackers to run malicious code on your computer through audio or video playback, potentially leading to system takeover. Update now to protect your data and services.

1Halo Surface Signal

Mozilla Firefox

before 115.35.2140.0 to before 140.10.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-8091

The vulnerability resides in client-side applications (Firefox and Thunderbird). The attack path requires a user to navigate to a malicious website or view untrusted content. The software does not serve as a publicly accessible internet gateway or network service, but instead functions as a local client-side interface.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in the Audio/Video playback component of Firefox and Thunderbird could allow an attacker to execute arbitrary code. Because this issue is present in widely used client applications, it requires attention to protect users.

  • Can lead to full system compromise.
  • Affects users opening malicious content.
  • No existing access needed to exploit.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by crafting a malicious audio or video file that, when played by a vulnerable version of Firefox or Thunderbird, triggers a buffer overflow. This overflow could allow the attacker to execute arbitrary code on the user's system. The exploit path is straightforward, requiring only that the user be tricked into interacting with the malicious media content.

  • User interaction required.
  • Attacker controls media file.
  • Code execution on victim.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Firefox and Thunderbird's audio/video playback component has a high potential for exploitation due to its network-attackable nature with no privileges or user interaction needed. However, attackers typically prefer vulnerabilities in server-side applications or network infrastructure for broader impact and easier deployment. Client-side vulnerabilities like this often require additional steps, such as tricking users into visiting a malicious site, which can limit their immediate appeal for widespread attacks.

  • Exploitation likely requires user interaction.
  • No public exploit available.
  • Advisories published recently.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating Firefox and Thunderbird to the latest fixed versions to address this critical vulnerability in audio/video playback. If immediate patching is not feasible, consider implementing network-level controls or endpoint detection and response (EDR) policies to monitor for and block exploitation attempts targeting these components. Confirm that all affected installations have been successfully updated or have compensating controls in place.

  • Update Firefox to 150+ or ESR 115.35.2+.
  • Update Thunderbird to 150+.
  • Monitor network traffic for exploit indicators.

Frequently asked questions

What is the Audio/Video: Playback component in Firefox and Thunderbird?

The Audio/Video: Playback component is integral to Firefox and Thunderbird, managing the handling and playback of multimedia content within these applications, allowing users to engage with audio and video directly.

What is the weakness class for CVE-2026-8091?

The weakness class identified for CVE-2026-8091 is CWE-754, indicating an improper handling of crucial system resources, which can lead to vulnerabilities by flaws in memory management or other critical elements.

How can an attacker exploit CVE-2026-8091?

An attacker can exploit CVE-2026-8091 by crafting a malicious audio or video file. When played by a vulnerable version of Firefox or Thunderbird, this file can trigger a buffer overflow, potentially allowing the attacker to execute arbitrary code on the user's system.

What is the relevance of CVE-2026-8091, and what are the associated advisories?

This critical vulnerability in Firefox and Thunderbird's audio/video playback component could lead to full system compromise. Advisories can be found at: https://www.mozilla.org/security/advisories/mfsa2026-30/, https://www.mozilla.org/security/advisories/mfsa2026-33/, https://www.mozilla.org/security/advisories/mfsa2026-36/, https://www.mozilla.org/security/advisories/mfsa2026-39/, and https://www.mozilla.org/security/advisories/mfsa2026-42/.

What steps should be taken to address CVE-2026-8091?

To address CVE-2026-8091, prioritize updating Firefox to version 150 or ESR 115.35.2+, and Thunderbird to version 150+. If immediate patching isn't possible, consider network-level controls or EDR policies to monitor for and block exploitation attempts.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified