CVE-2026-8958

high

Published 2026-05-27 · Modified 2026-05-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.6

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.6

Description

Important: thunderbird security update

Predictions

Exploit likelihood

91%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description firefox: Information disclosure, sandbox escape in the Security: Process Sandboxing component Red Hat statement Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux…

Description

firefox: Information disclosure, sandbox escape in the Security: Process Sandboxing component

Red Hat statement

Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.

CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`firefox-0:140.11.0-1.el8_10`	RHSA-2026:21382	2026-05-27T00:00:00Z
Red Hat Enterprise Linux 9	`thunderbird-0:140.11.0-1.el9_8`	RHSA-2026:21381	2026-05-27T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`firefox`	Affected
Red Hat Enterprise Linux 10	`rhel10/firefox-flatpak`	Affected
Red Hat Enterprise Linux 10	`rhel10/thunderbird-flatpak`	Affected
Red Hat Enterprise Linux 10	`thunderbird`	Affected
Red Hat Enterprise Linux 6	`firefox`	Out of support scope
Red Hat Enterprise Linux 6	`thunderbird`	Out of support scope
Red Hat Enterprise Linux 7	`firefox`	Affected
Red Hat Enterprise Linux 7	`thunderbird`	Out of support scope
Red Hat Enterprise Linux 8	`thunderbird`	Affected
Red Hat Enterprise Linux 9	`firefox`	Affected

Apply commands

bash fix

Apply RHSA-2026:21382 for Red Hat Enterprise Linux 8

yum update -y firefox
# or:
dnf upgrade -y firefox

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

OS	Version	Status	Fixed in
rhel	9	fixed
debian	sid	fixed	`151.0-1`
debian	bookworm	fixed	`140.11.0esr-1~deb12u1`
debian	bullseye	fixed	`140.11.0esr-1~deb11u1`
debian	forky	fixed	`140.11.0esr-1`
debian	trixie	fixed	`140.11.0esr-1~deb13u1`
sles		affected
almalinux	9	fixed	`firefox-x11-140.11.0-1.el9_8.alma.1.ppc64le.rpm`
almalinux	8	fixed	`firefox-140.11.0-1.el8_10.alma.1.aarch64.rpm`

Application impact

Vendor	Product	Versions	Fixed
mozilla	firefox	`{"endExcluding":"140.11.0"}`	`140.11.0`
mozilla	thunderbird	`{"endExcluding":"140.11"}`	`140.11`

References

CWEs

CWE-668 CWE-693

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.