Cyber Resilience

CVE-2026-0891

HighUpdated

Published: 13 January 2026

Published
13 January 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0039 30.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0891 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Mozilla Firefox. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-0891 involves multiple memory safety bugs (classified under CWE-119) affecting Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146, and Thunderbird 146. These bugs exhibited evidence of memory corruption, which Mozilla presumes could be exploited with sufficient effort to achieve arbitrary code execution. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to potential impacts on confidentiality, integrity, and availability.

Remote attackers without privileges can exploit this vulnerability over a network, though it requires high attack complexity and no user interaction. Successful exploitation could lead to memory corruption enabling arbitrary code execution within the affected browser or email client processes.

Mozilla's security advisories (MFSA 2026-01, 2026-03, 2026-04, and 2026-05) detail the fixes, which are available in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird ESR 140.7. Practitioners should prioritize updating to these patched versions, with additional technical details in the linked Bugzilla entries for bugs 1964722, 2000981, 2003100, and 2003278.

EU & UK References

Vulnerability details

Memory safety bugs present in Firefox ESR 140.6, Thunderbird ESR 140.6, Firefox 146 and Thunderbird 146. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to…

more

run arbitrary code. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Memory corruption bugs enabling remote arbitrary code execution in client applications (browser/email) directly map to client-side exploitation for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-5731Same product: Mozilla Firefox
CVE-2026-8093Same product: Mozilla Firefox
CVE-2026-7324Same product: Mozilla Firefox
CVE-2026-6752Same product: Mozilla Firefox
CVE-2026-8974Same product: Mozilla Firefox
CVE-2026-2779Same product: Mozilla Firefox
CVE-2026-8954Same product: Mozilla Firefox
CVE-2026-6776Same product: Mozilla Firefox
CVE-2026-4710Same product: Mozilla Firefox
CVE-2026-8975Same product: Mozilla Firefox

Affected Assets

mozilla
firefox
≤ 140.7.0 · ≤ 147.0
mozilla
thunderbird
≤ 140.7.0 · ≤ 147.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws such as the memory safety bugs in CVE-2026-0891 through patching to updated versions like Firefox 147.

prevent

Implements memory protection mechanisms like ASLR and DEP to directly mitigate exploitation of memory corruption vulnerabilities classified under CWE-119.

prevent

Enforces process isolation through sandboxing to contain arbitrary code execution resulting from memory safety bugs within the affected browser or email client processes.

References