CVE-2026-0877
Published: 13 January 2026
Summary
CVE-2026-0877 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Mozilla Firefox. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of known software flaws like CVE-2026-0877 through patching Firefox and Thunderbird to fixed versions.
Vulnerability scanning identifies systems running vulnerable versions of Firefox or Thunderbird affected by the DOM security bypass in CVE-2026-0877.
Ensures receipt and dissemination of security advisories such as Mozilla's MFSA for CVE-2026-0877 to prompt patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability is a DOM mitigation bypass in browser, directly enabling remote exploitation via crafted malicious webpage requiring user interaction (drive-by compromise and malicious link).
NVD Description
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 147, Firefox ESR 115.32, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.
Deeper analysisAI
CVE-2026-0877 is a mitigation bypass vulnerability in the DOM: Security component of Mozilla Firefox and Thunderbird. It affects versions of Firefox prior to 147, Firefox ESR prior to 115.32 and 140.7, Thunderbird prior to 147, and Thunderbird prior to 140.7. The issue, classified under CWE-693 (Protection Mechanism Failure), was published on 2026-01-13 and carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high severity due to its potential for confidentially and integrity impacts.
A remote attacker can exploit this vulnerability without privileges by tricking a user into interacting with malicious content, such as visiting a crafted webpage. Successful exploitation bypasses security mitigations in the DOM, enabling high-impact confidentiality violations like information disclosure and integrity violations such as content manipulation, while maintaining unchanged scope and no availability disruption.
Mozilla's security advisories (MFSA 2026-01 through 2026-04) and the associated Bugzilla entry (1999257) confirm the vulnerability was addressed by updating to Firefox 147, Firefox ESR 115.32 or 140.7, Thunderbird 147, or Thunderbird 140.7, recommending immediate patching for affected users.
Details
- CWE(s)