CVE-2026-8965 Overview
CVE-2026-8965 is an information disclosure vulnerability in the DOM: Security component of Mozilla Firefox and Mozilla Thunderbird. The flaw allows a remote attacker to access sensitive information rendered or processed within the browser's Document Object Model (DOM) security boundary. Mozilla addressed the issue in Firefox 151 and Thunderbird 151. The weakness maps to CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. No public exploit code is available, and CISA has not listed the issue in its Known Exploited Vulnerabilities catalog.
Critical Impact
Remote attackers can retrieve confidential data from the browser's DOM context without authentication or user interaction.
Affected Products
- Mozilla Firefox versions prior to 151
- Mozilla Thunderbird versions prior to 151
- Any downstream distribution shipping the affected DOM: Security component
Discovery Timeline
- 2026-05-19 - CVE-2026-8965 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8965
Vulnerability Analysis
The vulnerability resides in the DOM: Security component, which enforces same-origin and content security policies inside Firefox and Thunderbird. A defect in this component lets attacker-controlled web content read data it should not be authorized to access. The issue is network-exploitable, requires no privileges, and needs no user interaction beyond loading attacker-controlled content. Confidentiality is the only impacted security property; integrity and availability remain unaffected.
Mozilla classifies the flaw as a CWE-200 information exposure. Firefox 151 and Thunderbird 151 contain the corrective patches. Refer to the Mozilla Bug Report #2025740 for the internal tracking record.
Root Cause
The root cause is improper enforcement of security boundaries within the DOM layer. Code paths handling cross-context data fail to consistently apply origin or policy checks. As a result, restricted DOM properties or internal state become observable from less-privileged scripts. Mozilla's advisories MFSA-2026-46 and MFSA-2026-50 document the remediation.
Attack Vector
An attacker hosts a malicious page or delivers crafted HTML email content rendered by Thunderbird. When a victim loads the content, attacker JavaScript queries the DOM through the vulnerable code path. The browser returns data from a security context that should remain isolated. Exfiltrated information can include cross-origin response data, authentication tokens reflected in the DOM, or other sensitive page state.
No verified proof-of-concept code is published. See the Mozilla Bug Report #2025740 for technical details once Mozilla unrestricts the report.
Detection Methods for CVE-2026-8965
Indicators of Compromise
- Browser telemetry showing Firefox or Thunderbird versions below 151 connecting to untrusted domains
- Unexpected outbound requests carrying base64 or JSON blobs of DOM content to attacker-controlled hosts
- HTML email opened in Thunderbird that loads remote script content from low-reputation domains
Detection Strategies
- Inventory Firefox and Thunderbird installations and flag any build earlier than 151 as vulnerable
- Inspect web proxy and DNS logs for connections to newly registered domains immediately after browser launches
- Hunt for endpoints fetching JavaScript that probes uncommon DOM APIs tied to cross-origin reads
Monitoring Recommendations
- Forward browser process telemetry and proxy logs to a centralized analytics platform for correlation
- Alert when Thunderbird renders remote content in HTML email despite policy restrictions
- Track patch deployment status across managed endpoints to confirm coverage of Firefox and Thunderbird 151
How to Mitigate CVE-2026-8965
Immediate Actions Required
- Upgrade Firefox to version 151 or later on all managed endpoints
- Upgrade Thunderbird to version 151 or later, including server-managed profiles
- Restart browser and mail client processes after upgrade to ensure the patched binaries are loaded
- Audit enterprise policy files to confirm automatic updates remain enabled
Patch Information
Mozilla released fixes in Firefox 151 and Thunderbird 151. Review Mozilla Security Advisory MFSA-2026-46 and Mozilla Security Advisory MFSA-2026-50 for package details and verification hashes.
Workarounds
- Disable JavaScript for untrusted sites using enterprise policy until patches are deployed
- Configure Thunderbird to block remote content in HTML messages by default
- Restrict browsing to known-good domains through proxy allow-lists where business processes allow
# Enterprise policy example to block remote content in Thunderbird
# /etc/thunderbird/policies/policies.json
{
"policies": {
"DisableAppUpdate": false,
"BlockAboutConfig": true,
"Preferences": {
"mailnews.message_display.disable_remote_image": {
"Value": true,
"Status": "locked"
}
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
