CVE-2026-0889 – A denial-of-service vulnerability in Firefox an... (How to Fix)

Q: How do I fix CVE-2026-0889?

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 147 or higher. 4. Restart the application when prompted.

Q: What is the severity of CVE-2026-0889?

CVE-2026-0889 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in Firefox and Thunderbird's DOM Service Workers component allows attackers to crash the browser or email client. This affects users running Firefox versions below 147 or Thunderbird versions below 147, potentially disrupting work and causing data loss.

📋 TL;DR

A denial-of-service vulnerability in Firefox and Thunderbird's DOM Service Workers component allows attackers to crash the browser or email client. This affects users running Firefox versions below 147 or Thunderbird versions below 147, potentially disrupting work and causing data loss.

💻 Affected Systems

Products:

Mozilla Firefox
Mozilla Thunderbird

Versions: Firefox < 147, Thunderbird < 147

Operating Systems: Windows, Linux, macOS, All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. Service Workers must be enabled (default).

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete browser/email client crash requiring restart, potential loss of unsaved work or active sessions, and disruption of critical workflows.

🟠

Likely Case

Browser or email client becomes unresponsive and crashes, requiring manual restart and causing temporary disruption.

🟢

If Mitigated

Minimal impact with proper patching; crashes are prevented and normal functionality is maintained.

🌐 Internet-Facing: HIGH - Attackers can trigger this via malicious websites or emails without user interaction.

🏢 Internal Only: MEDIUM - Internal web applications or emails could be used to trigger the vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation likely requires visiting a malicious website or opening a crafted email. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 147, Thunderbird 147

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-01/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to version 147 or higher. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable Service Workers

all

Temporarily disable Service Workers to prevent exploitation, but may break some web functionality.

In Firefox/Thunderbird address bar, type 'about:config', search for 'dom.serviceWorkers.enabled', set to false

🧯 If You Can't Patch

Restrict access to untrusted websites and email sources.
Use application sandboxing or isolation techniques to limit impact of crashes.

🔍 How to Verify

Check if Vulnerable:

Check Firefox/Thunderbird version via menu → Help → About. If version is below 147, you are vulnerable.

Check Version:

firefox --version (Linux) or check About dialog (Windows/macOS)

Verify Fix Applied:

Confirm version is 147 or higher after update and restart. Test Service Worker functionality on trusted sites.

📡 Detection & Monitoring

Log Indicators:

Application crash logs, unexpected termination events, high memory usage spikes before crash

Network Indicators:

Requests to suspicious domains triggering Service Worker scripts, unusual Service Worker registration patterns

SIEM Query:

source="firefox.log" OR source="thunderbird.log" AND (event="crash" OR event="terminated") AND version<147

📊 Metadata

CVE ID: CVE-2026-0889

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: January 13, 2026

Last Updated: January 22, 2026

🔗 References

https://bugzilla.mozilla.org/show_bug.cgi?id=1999084 Exploit,Issue Tracking,Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-01/ Vendor Advisory
https://www.mozilla.org/security/advisories/mfsa2026-04/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0889, you might also want to check these: