CVE-2026-8958

high

Published 2026-05-27 · Modified 2026-06-03

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

8.6

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.6

Description

Important: thunderbird security update

Predictions

Exploit likelihood

91%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description firefox: Information disclosure, sandbox escape in the Security: Process Sandboxing component Red Hat statement Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory. CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux…

Description

firefox: Information disclosure, sandbox escape in the Security: Process Sandboxing component

Red Hat statement

Red Hat Product Security rates the severity of this flaw as determined by the Mozilla Foundation Security Advisory.

CVSS v3: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Errata / fixed releases

Product	Package	Advisory	Released
Red Hat Enterprise Linux 8	`firefox-0:140.11.0-1.el8_10`	RHSA-2026:21382	2026-05-27T00:00:00Z
Red Hat Enterprise Linux 9	`thunderbird-0:140.11.0-1.el9_8`	RHSA-2026:21381	2026-05-27T00:00:00Z

Package state

Product	Package	State
Red Hat Enterprise Linux 10	`firefox`	Affected
Red Hat Enterprise Linux 10	`rhel10/firefox-flatpak`	Affected
Red Hat Enterprise Linux 10	`rhel10/thunderbird-flatpak`	Affected
Red Hat Enterprise Linux 10	`thunderbird`	Affected
Red Hat Enterprise Linux 6	`firefox`	Out of support scope
Red Hat Enterprise Linux 6	`thunderbird`	Out of support scope
Red Hat Enterprise Linux 7	`firefox`	Affected
Red Hat Enterprise Linux 7	`thunderbird`	Out of support scope
Red Hat Enterprise Linux 8	`thunderbird`	Affected
Red Hat Enterprise Linux 9	`firefox`	Affected

Apply commands

bash fix

Apply RHSA-2026:21382 for Red Hat Enterprise Linux 8

yum update -y firefox
# or:
dnf upgrade -y firefox

Affected

Vendor	Product	Version
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 10	`Affected`
redhat	Red Hat Enterprise Linux 7	`Affected`
redhat	Red Hat Enterprise Linux 8	`Affected`
redhat	Red Hat Enterprise Linux 9	`Affected`

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

AlmaLinux Fixed 2 releases

Version	Status	Fixed in
9	Fixed	`firefox-x11-140.11.0-1.el9_8.alma.1.ppc64le.rpm`
8	Fixed	`firefox-140.11.0-1.el8_10.alma.1.aarch64.rpm`

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`140.11.0esr-1~deb13u1`
sid	Fixed	`151.0-1`
forky	Fixed	`140.11.0esr-1`
bullseye	Fixed	`140.11.0esr-1~deb11u1`
bookworm	Fixed	`140.11.0esr-1~deb12u1`

Red Hat Fixed 2 releases

Version	Status	Fixed in
9	Fixed	—
8	Fixed	—

Application impact

Vendor	Product	Versions	Fixed
mozilla	firefox	`{"endExcluding":"140.11.0"}`	`140.11.0`
mozilla	thunderbird	`{"endExcluding":"140.11"}`	`140.11`

References

CWEs

CWE-668 CWE-693

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.