Login Sign Up

CVE-2026-0891

8.1 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes memory safety bugs in Firefox and Thunderbird that could lead to memory corruption. With sufficient effort, attackers could potentially exploit these vulnerabilities to execute arbitrary code. Affected users include anyone running vulnerable versions of Firefox ESR < 140.7, Firefox < 147, Thunderbird ESR < 140.7, or Thunderbird < 147.

💻 Affected Systems

Products:
  • Firefox
  • Firefox ESR
  • Thunderbird
  • Thunderbird ESR
Versions: Firefox < 147, Firefox ESR < 140.7, Thunderbird < 147, Thunderbird ESR < 140.7
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected versions are vulnerable.

📦 What is this software?

Firefox by Mozilla

View all CVEs affecting Firefox →

Firefox by Mozilla

View all CVEs affecting Firefox →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

Thunderbird by Mozilla

View all CVEs affecting Thunderbird →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution allowing attackers to take full control of the affected system, install malware, or steal sensitive data.

🟠

Likely Case

Application crashes or instability, with potential for limited code execution in targeted attacks.

🟢

If Mitigated

No impact if systems are patched or proper network segmentation prevents exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: HIGH

Memory corruption vulnerabilities require sophisticated exploitation techniques but could be weaponized in targeted attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firefox 147, Firefox ESR 140.7, Thunderbird 147, Thunderbird ESR 140.7

Vendor Advisory: https://www.mozilla.org/security/advisories/mfsa2026-01/

Restart Required: Yes

Instructions:

1. Open Firefox/Thunderbird. 2. Click menu → Help → About Firefox/Thunderbird. 3. Allow automatic update to complete. 4. Restart the application when prompted.

🔧 Temporary Workarounds

Disable JavaScript

all

Temporarily reduces attack surface by disabling JavaScript execution.

about:config → javascript.enabled = false

🧯 If You Can't Patch

  • Restrict network access to vulnerable browsers using firewall rules.
  • Use application whitelisting to prevent execution of malicious payloads.

🔍 How to Verify

Check if Vulnerable:

Check browser version in About Firefox/Thunderbird menu.

Check Version:

firefox --version or thunderbird --version

Verify Fix Applied:

Confirm version is Firefox ≥147, Firefox ESR ≥140.7, Thunderbird ≥147, or Thunderbird ESR ≥140.7.

📡 Detection & Monitoring

Log Indicators:

  • Application crash logs with memory access violations
  • Unexpected process termination

Network Indicators:

  • Unusual outbound connections from browser processes
  • Suspicious download patterns

SIEM Query:

source="firefox.log" OR source="thunderbird.log" AND (event="crash" OR event="segfault")

📊 Metadata

CVE ID: CVE-2026-0891
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.07% exploit probability (21.2th percentile)
Published: January 13, 2026
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0891, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)