CVE-2026-8966 Overview
CVE-2026-8966 is an information disclosure vulnerability in the IP Protection component of Mozilla Firefox and Mozilla Thunderbird. The flaw allows a remote attacker to obtain confidential information over the network without authentication or user interaction. Mozilla resolved the issue in Firefox 151 and Thunderbird 151. The vulnerability is tracked under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
A network-based attacker can bypass the IP Protection feature and disclose sensitive client information without authentication or user interaction.
Affected Products
- Mozilla Firefox versions prior to 151
- Mozilla Thunderbird versions prior to 151
- Deployments relying on the IP Protection component for privacy
Discovery Timeline
- 2026-05-19 - CVE-2026-8966 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8966
Vulnerability Analysis
The vulnerability resides in the IP Protection component, a feature designed to mask or proxy client network identifiers. An implementation flaw causes the component to leak protected information to remote endpoints under specific conditions. Attackers exploit the issue purely over the network without privileges or user interaction.
The confidentiality impact is high, while integrity and availability are not affected. The flaw aligns with CWE-200, where a product exposes sensitive information to actors that should not have access. EPSS data places the in-the-wild exploitation probability at a low level, and no public proof-of-concept is currently available.
Root Cause
The root cause is improper handling of data within the IP Protection subsystem of Firefox and Thunderbird. The component fails to fully restrict sensitive client-side network information from leaving the trust boundary it was designed to enforce. Refer to Mozilla Bug #2025849 for the technical defect record.
Attack Vector
The attack vector is network-based with low complexity. A remote attacker controlling or observing a web resource accessed by the victim can retrieve information that IP Protection was intended to hide. No authentication or user interaction is required, which broadens the population of exploitable clients. Exploitation is silent and produces no visible indicators inside the browser or mail client.
No verified exploit code is currently available. See Mozilla Security Advisory MFSA-2026-46 and Mozilla Security Advisory MFSA-2026-50 for vendor details.
Detection Methods for CVE-2026-8966
Indicators of Compromise
- Firefox or Thunderbird client builds reporting a version earlier than 151 in user-agent strings or telemetry inventories.
- Outbound network requests from browser or mail processes containing client identifiers that IP Protection should have masked.
- Web access logs showing repeated correlation between protected client sessions and identifiable network metadata.
Detection Strategies
- Inventory all endpoints and identify Firefox and Thunderbird installations below version 151 using software asset management.
- Monitor browser-originated HTTPS traffic for anomalous metadata leakage from clients with IP Protection enabled.
- Correlate endpoint telemetry with proxy and DNS logs to flag traffic patterns inconsistent with expected IP Protection behavior.
Monitoring Recommendations
- Track Mozilla advisories MFSA-2026-46 and MFSA-2026-50 for follow-up guidance or related CVEs.
- Alert on installations of outdated Firefox and Thunderbird builds appearing in EDR inventory reports.
- Review egress traffic from user endpoints for unexpected disclosure of client IP, geolocation, or session identifiers.
How to Mitigate CVE-2026-8966
Immediate Actions Required
- Upgrade Mozilla Firefox to version 151 or later on all managed endpoints.
- Upgrade Mozilla Thunderbird to version 151 or later across desktop and server-deployed installations.
- Enforce automatic updates for Mozilla products through enterprise policy where supported.
- Validate that update deployments succeeded by querying installed versions through endpoint management tools.
Patch Information
Mozilla fixed the vulnerability in Firefox 151 and Thunderbird 151. Detailed remediation guidance is published in Mozilla Security Advisory MFSA-2026-46 and Mozilla Security Advisory MFSA-2026-50. Administrators should deploy the vendor-supplied builds rather than attempting source-level fixes.
Workarounds
- Disable or avoid relying on the IP Protection feature on unpatched clients until upgrades complete.
- Route browser and mail traffic through a controlled corporate proxy or VPN to reduce direct exposure of client identifiers.
- Restrict access to untrusted web content on hosts that cannot immediately upgrade.
# Verify installed Firefox and Thunderbird versions on Linux endpoints
firefox --version
thunderbird --version
# Example enterprise policy enforcing automatic updates (policies.json)
# Place in the distribution/ directory of the Firefox or Thunderbird install
{
"policies": {
"DisableAppUpdate": false,
"AppAutoUpdate": true
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
