CVE-2026-8094 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-8094 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-8094 is a critical-severity vulnerability in the WebRTC component of Mozilla Firefox and Mozilla Thunderbird, addressed in Firefox ESR 140.10.2 and Thunderbird 140.10.2.

Technical Detail

The flaw resides in the WebRTC implementation, which handles real-time audio, video, and data communication within the browser and email client. The specific nature of the issue has not been fully disclosed by Mozilla beyond classification as an "other" issue in the WebRTC component, which may indicate a memory safety, logic, or protocol handling defect. Given the CVSS score of 9.8, the vulnerability is likely remotely exploitable without authentication and could result in arbitrary code execution or significant memory corruption in the context of the affected application.

Exploitation Status

No known exploit exists for this vulnerability at this time. It is not listed in CISA's Known Exploited Vulnerabilities catalog. There is no public proof-of-concept code or evidence of active exploitation in the wild as of May 14, 2026.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this vulnerability.

What To Do

Organizations should prioritize patching Firefox ESR to version 140.10.2 and Thunderbird to version 140.10.2 promptly given the critical CVSS rating and the attack surface exposed by WebRTC, which is reachable through normal browsing and email activity. Administrators should verify deployed versions across endpoints and push updates through standard patch management channels. Where immediate patching is not feasible, consider disabling WebRTC functionality via enterprise policy controls as a temporary mitigation. Monitor endpoint detection tooling for anomalous behavior originating from Firefox or Thunderbird processes as a compensating detection measure.