Cyber Resilience

CVE-2026-0889

HighPublic PoCDDoS

Published: 13 January 2026

Published
13 January 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0889 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Mozilla Firefox. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-0889 is a denial-of-service vulnerability in the DOM Service Workers component of Mozilla Firefox and Thunderbird. It affects versions of these browsers prior to Firefox 147 and Thunderbird 147, in which the issue was fixed. Published on 2026-01-13, the vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-400 (Uncontrolled Resource Consumption).

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and without requiring user interaction or privileges. Exploitation results in a denial of service, causing high-impact disruption to availability while having no effect on confidentiality or integrity.

Mozilla advisories detail the patch in Firefox 147 and Thunderbird 147, recommending immediate updates to mitigate the issue. Additional technical details are available in Mozilla Foundation Security Advisory 2026-01 and 2026-04, along with Bugzilla entry 1999084.

EU & UK References

Vulnerability details

Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct exploitation of the described vulnerability (CWE-400 uncontrolled resource consumption in browser Service Workers) enables an adversary to crash or impair the target application, matching T1499.004 Application or System Exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4727Same product: Mozilla Firefox
CVE-2026-6781Same product: Mozilla Firefox
CVE-2026-6777Same product: Mozilla Firefox
CVE-2026-6759Same product: Mozilla Firefox
CVE-2026-6773Same product: Mozilla Firefox
CVE-2026-4704Same product: Mozilla Firefox
CVE-2026-4726Same product: Mozilla Firefox
CVE-2026-6758Same product: Mozilla Firefox
CVE-2026-8968Same product: Mozilla Firefox
CVE-2026-2801Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 147.0
mozilla
thunderbird
≤ 147.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this CVE by requiring timely patching of the vulnerable DOM Service Workers component to Firefox/Thunderbird 147 or later.

prevent

Denial-of-service protection limits the effects of uncontrolled resource consumption attacks exploiting the Service Workers component.

prevent

Resource availability protections enforce limits and quotas to prevent exhaustion from the CWE-400 vulnerability in DOM Service Workers.

References