CVE-2026-8091 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-8091 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-8091 is a critical boundary condition vulnerability in the Audio/Video Playback component of Mozilla Firefox and Mozilla Thunderbird.

Technical Detail

The flaw stems from incorrect boundary checks during media playback processing, which can result in out-of-bounds memory access when handling malformed or specially crafted audio or video content. An attacker could exploit this by delivering malicious media through a webpage or embedded email content, triggering the boundary violation in the affected component. Depending on memory layout and exploitation conditions, this class of vulnerability can lead to remote code execution in the context of the affected application.

Exploitation Status

No known exploit exists for this vulnerability at this time. It has not been added to the CISA Known Exploited Vulnerabilities catalog. The exploit maturity is currently assessed as none, meaning no public proof-of-concept or active exploitation has been confirmed as of this writing.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability in available intelligence.

What To Do

Organizations should prioritize patching given the critical CVSS score of 9.8. Mozilla has addressed this vulnerability in Firefox 150, Firefox ESR 140.10.1, Firefox ESR 115.35.2, Thunderbird 150, and Thunderbird 140.10.1. Administrators and end users should update to one of these fixed versions immediately. For environments where immediate patching is not feasible, consider restricting or disabling media playback functionality where operationally possible. Thunderbird users should be particularly attentive given the email attack surface, as malicious media could be embedded in received messages without requiring user navigation to an external site.