Cyber Posture

CVE-2026-8091

Critical

Published: 07 May 2026

Published
07 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 6.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8091 is a critical-severity Improper Check for Unusual or Exceptional Conditions (CWE-754) vulnerability in Mozilla Firefox. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-5 Response to Audit Logging Process Failures
addresses: CWE-754

Requires detection and response to audit logging failures as an unusual or exceptional condition.

CP-12 Safe Mode
addresses: CWE-754

Implements detection of unusual or exceptional conditions followed by safe mode entry, reducing the window for exploitation of unchecked conditions.

CP-3 Contingency Training
addresses: CWE-754

Training ensures users perform required checks for unusual or exceptional conditions as part of contingency roles, limiting attacker leverage from skipped validations.

IR-3 Incident Response Testing
addresses: CWE-754

IR testing directly validates checks for unusual or exceptional conditions that could indicate security incidents.

PM-31 Continuous Monitoring Strategy
addresses: CWE-754

Requires ongoing monitoring of organization-defined metrics and analysis, enabling checks for unusual or exceptional conditions.

SA-11 Developer Testing and Evaluation
addresses: CWE-754

Security testing routinely checks for unusual or exceptional inputs/conditions, identifying missing validation steps that flaw remediation then resolves.

SC-24 Fail in Known State
addresses: CWE-754

Requires detection of unusual conditions followed by a controlled transition to the defined failure state.

SI-13 Predictable Failure Prevention
addresses: CWE-754

MTTF determination forces explicit checks for conditions that precede predictable component failure.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
Why these techniques?

Critical RCE in browser AV playback (CWE-754 boundary error) directly enables client-side exploitation via malicious media (T1203) and drive-by attacks (T1189).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect boundary conditions in the Audio/Video: Playback component. This vulnerability was fixed in Firefox 150, Thunderbird 150, Firefox ESR 140.10.1, Thunderbird 140.10.1, and Firefox ESR 115.35.2.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
NVD-CWE-noinfoCWE-754

Affected Products

mozilla
firefox
≤ 115.35.2 · 140.0 — 140.10.1
mozilla
thunderbird
140.0 — 140.10.1

CVEs Like This One

CVE-2026-2781Same product: Mozilla Firefox
CVE-2026-0882Same product: Mozilla Firefox
CVE-2026-2805Same product: Mozilla Firefox
CVE-2026-2793Same product: Mozilla Firefox
CVE-2026-4718Same product: Mozilla Firefox
CVE-2026-2759Same product: Mozilla Firefox
CVE-2025-1933Same product: Mozilla Firefox
CVE-2026-6783Same product: Mozilla Firefox
CVE-2026-6751Same product: Mozilla Firefox
CVE-2026-6766Same product: Mozilla Firefox

References