CVE-2026-8947: Use-after-free in the DOM: Bindings (WebIDL) component
Published May 19, 2026
·Updated
Use-after-free in the DOM: Bindings (WebIDL) component. This vulnerability was fixed in Firefox 151, Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
Affected Software
9 affected componentsFixes available
Mozilla Firefox ESR<115.36
115.36
Mozilla Firefox<151
151
Mozilla Firefox ESR<140.11
140.11
Mozilla Thunderbird<151
151
Mozilla Thunderbird<140.11
140.11
Mozilla Firefox<115.36.0
Mozilla Firefox<151.0.0
Mozilla Firefox>=140.0<140.11.0
Mozilla Thunderbird<140.11
Event History
May 19, 2026
CVE Published
via Mozilla·12:00 AM
Data Sourced
via Mozilla·12:00 AM
DescriptionSeverityAffected Software
Updated
via Mozilla·12:00 AM
Affected Software
CVE Published
via MITRE·12:29 PM
Data Sourced
via MITRE·12:29 PM
Description
Data Sourced
via NVD·02:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-8947?
CVE-2026-8947 is classified as a critical vulnerability due to its potential to cause significant exploitation risks.
2
How do I fix CVE-2026-8947?
To fix CVE-2026-8947, update to Firefox version 151, Firefox ESR version 115.36, or Thunderbird version 151.
3
Which versions are affected by CVE-2026-8947?
CVE-2026-8947 affects versions of Firefox below 151, Firefox ESR below 115.36, and Thunderbird below 151.
4
What is the nature of the vulnerability CVE-2026-8947?
CVE-2026-8947 is a use-after-free vulnerability in the DOM: Bindings (WebIDL) component.
5
Has CVE-2026-8947 been fixed in earlier versions of Firefox or Thunderbird?
No, CVE-2026-8947 was addressed in specific updates starting with Firefox 151 and Firefox ESR 115.36.