CVE-2026-8090

EUVD-2026-28361
Use-after-free in the DOM: Networking component. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
mozillafirefox_esr
𝑥
< 115.35.2
mozillafirefox
𝑥
< 150.0.2
mozillafirefox_esr
128.0 ≤
𝑥
< 140.10.2
mozillathunderbird_esr
𝑥
< 140.10.2
mozillathunderbird
𝑥
< 150.0.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
firefox
sid
vulnerable
firefox-esr
bookworm
vulnerable
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
trixie (security)
vulnerable
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://bugzilla.mozilla.org/show_bug.cgi?id=2034352
https://www.mozilla.org/security/advisories/mfsa2026-40/
https://www.mozilla.org/security/advisories/mfsa2026-41/
https://www.mozilla.org/security/advisories/mfsa2026-42/
https://www.mozilla.org/security/advisories/mfsa2026-43/
https://www.mozilla.org/security/advisories/mfsa2026-44/