CVE-2026-8967 Overview
CVE-2026-8967 is an information disclosure vulnerability affecting the Graphics: WebGPU component in Mozilla Firefox and Mozilla Thunderbird. The flaw allows a remote attacker to read sensitive data from the browser process without requiring authentication or user interaction. Mozilla addressed the issue in Firefox 151 and Thunderbird 151. The weakness is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. Attackers can leverage the WebGPU rendering pipeline to extract residual graphics memory contents from a victim's browser session.
Critical Impact
A network-based attacker can trigger information disclosure through the WebGPU component with no privileges or user interaction, exposing confidential in-process data.
Affected Products
- Mozilla Firefox versions prior to 151
- Mozilla Thunderbird versions prior to 151
- Systems with WebGPU enabled in the affected Mozilla products
Discovery Timeline
- 2026-05-19 - CVE-2026-8967 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-8967
Vulnerability Analysis
The vulnerability resides in the WebGPU implementation within the Graphics subsystem of Firefox and Thunderbird. WebGPU exposes low-level GPU functionality to web content for compute and rendering workloads. When the component fails to properly initialize or isolate graphics buffer memory, residual data from prior allocations can be returned to JavaScript running in a web page. An attacker hosting a malicious page can issue crafted WebGPU calls that read uninitialized or cross-context memory. The disclosed contents may include data from other tabs, GPU textures, or sensitive process memory. Thunderbird inherits the same browser engine and is affected when remote content is rendered.
Root Cause
The root cause is improper handling of memory within the WebGPU pipeline, mapped to [CWE-200]. Graphics buffers reachable through the WebGPU API expose information that should remain isolated from untrusted web content.
Attack Vector
The attack vector is network-based. An attacker delivers a crafted web page or HTML email containing WebGPU shader and buffer operations. When a victim using a vulnerable version visits the page or renders the content, the malicious script reads sensitive data and exfiltrates it to an attacker-controlled endpoint. No authentication or user interaction beyond visiting the page is required.
No public proof-of-concept code has been verified for this CVE. For technical specifics on the fix, refer to the Mozilla Bug Report #2027173 and the Mozilla Security Advisory MFSA-2026-46.
Detection Methods for CVE-2026-8967
Indicators of Compromise
- Outbound HTTPS requests from browser processes to unfamiliar domains shortly after visiting untrusted sites with WebGPU content
- Browser telemetry showing unexpected WebGPU context creation from low-reputation origins
- Firefox or Thunderbird versions below 151 present in endpoint inventory
Detection Strategies
- Inventory installed Firefox and Thunderbird versions across managed endpoints and flag any build earlier than 151
- Monitor browser child process network activity for anomalous data egress patterns following web navigation events
- Inspect HTTP response bodies for pages serving WebGPU shader code from untrusted or newly registered domains
Monitoring Recommendations
- Enable endpoint telemetry on browser process behavior, including GPU process spawning and memory allocation anomalies
- Correlate web proxy logs with browser version data to identify exposed clients accessing high-risk content
- Track Mozilla security advisories MFSA-2026-46 and MFSA-2026-50 for additional indicators and related fixes
How to Mitigate CVE-2026-8967
Immediate Actions Required
- Update Mozilla Firefox to version 151 or later on all endpoints
- Update Mozilla Thunderbird to version 151 or later on all endpoints
- Force-restart browser sessions to ensure patched binaries are loaded into memory
- Prioritize patching for users handling sensitive data or operating in high-risk roles
Patch Information
Mozilla fixed the vulnerability in Firefox 151 and Thunderbird 151. Patch details and remediation guidance are published in the Mozilla Security Advisory MFSA-2026-46 and the Mozilla Security Advisory MFSA-2026-50.
Workarounds
- Disable WebGPU in Firefox by setting dom.webgpu.enabled to false in about:config until patching is complete
- Block remote content rendering in Thunderbird and restrict HTML email previews from untrusted senders
- Apply browser policy templates to enforce minimum version requirements through enterprise management tools
# Configuration example: disable WebGPU via Firefox enterprise policy (policies.json)
{
"policies": {
"Preferences": {
"dom.webgpu.enabled": {
"Value": false,
"Status": "locked"
}
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
