Overview

Vulnerabilities reported to Mozilla Firefox by our member have been assigned new CVE identifiers. They are CVE-2026-8947 (Use-after-free in the DOM: Bindings (WebIDL) component) and CVE-2026-8964 (Spoofing issue in the Popup Blocker component), both listed in the Firefox 151.0 security advisory (MFSA 2026-46). Their impact ratings are high and low, respectively.

CVE-2026-8947 in MFSA 2026-46
CVE-2026-8947 in MFSA 2026-46
CVE-2026-8964 in MFSA 2026-46
CVE-2026-8964 in MFSA 2026-46

AI-Driven Discovery of a Memory Corruption Bug

CVE-2026-8947 is a Use-After-Free that was identified starting from a memory crash observed during our AI-assisted vulnerability research. At the time of Firefox 149.0, a UAF had also been detected and confirmed with ASan, but we were aware of a prior reporter and refrained from submitting our own report. This time, a memory corruption bug surfaced through AI-assisted investigation has been assigned a CVE rated as high for the first time.

Firefox Nightly crash
Firefox Nightly crash
UAF detection by ASan
UAF detection by ASan

Mozilla operates continuous scanning pipelines such as Mythos, yet memory corruption bugs still surface in our subsequent research. We attribute this largely to our distinctive architectural setup.

Ongoing Vulnerability Research

We have developed a proprietary approach that leverages LLMs for vulnerability research, and we will continue investigating major software including browsers. Based on this hands-on vulnerability discovery expertise, we provide security assessment and consulting services. If you are interested, please feel free to contact us.