VULNERABILITY
A same origin policy bypass vulnerability was identified in the Networking: JAR component of Mozilla Firefox. The affected versions fail to reject a null byte (%00) embedded in a jar: or resource:/// URI path before that value reaches downstream filename resolution and content type derivation logic. Because origin and content type attribution for jar: backed resources depend on correctly resolving the inner archive entry name, an unrejected null byte allows the browser to associate one resource’s declared identity with content actually served under a different identity.
This is exploitable through two related primitives. First, a crafted jar:file:/// URI can force Firefox to present a completely attacker chosen download filename and extension regardless of the archive’s real contents. Second, a null byte placed before a file extension causes Firefox to derive the MIME type from the attacker supplied suffix rather than the actual resource, producing a content type mismatch. Because resource:/// resolves internally to jar:, and moz-extension:// resolves internally to resource:///, the same defect is reachable through any installed browser extension that declares a wildcard entry in web_accessible_resources, extending the practical attack surface from local file URIs to ordinary web content.
This is the third vulnerability in the same root cause chain. CVE-2025-1936 first identified null byte handling issues in JAR entry resolution and was fixed by replacing unsafe C string handling with a length aware string type. CVE-2026-2790 found that a double encoded null byte (%2500) bypassed that fix and was patched by disabling content sniffing for JAR channels entirely. CVE-2026-8971 demonstrates that neither prior fix rejected the null byte at the URL parsing layer itself, leaving the filename resolution and MIME type derivation logic, two further downstream consumers of the same unsanitized value, still exploitable.
IMPACT
Exploitation occurs when a target loads a specifically crafted jar:, resource:///, or moz-extension:// URI, whether through direct navigation, a redirect served by attacker controlled web content, or a link embedded in another document. It does not allow remote code execution on its own. The realistic impact is a same origin attribution failure that enables filename and content type spoofing: an attacker can cause Firefox to offer a download under a fully attacker controlled filename and extension while the underlying content is something else, or cause a resource to be served and rendered under an incorrect MIME type. Where the vulnerable path is reached through an installed extension’s web_accessible_resources surface, the spoofed response still appears to originate from that extension’s legitimate origin, which can be used to make a malicious download appear trustworthy or to slip mislabeled content past automated extension review tooling that inspects files by extension.
Confidentiality impact is limited to the disclosure of which origin or extension a spoofed resource appears to come from; there is no direct integrity impact on browser managed state and no availability impact. This is consistent with the vulnerability functioning as a trust manipulation and disclosure primitive rather than a vector for direct data exfiltration, session hijacking, or arbitrary code execution.
CVE ID
| CVE ID | CVE-2026-8971 |
| Vulnerability Type | Same-Origin Policy Bypass / Origin Validation Error |
| CWE | CWE-346 – Origin Validation Error |
| Vendor | Mozilla |
| Affected Products | Firefox < 151, Firefox ESR < 140.11 |
| Component | Networking: JAR |
CVSS SCORE
| CVSS Score | 6.5 (Medium) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | Low |
| Integrity Impact | Low |
| Availability Impact | None |
CVSS scoring above reflects the rating published for this CVE in third party vulnerability tracking databases.
DISCLOSURE TIMELINE
| 16 Apr 2026 | Reported to Mozilla via Bugzilla (Bug 2032604) |
| 21 Apr 2026 | Patch landed on mozilla-central |
| 22 Apr 2026 | Bounty awarded; publication approved |
| 19 May 2026 | CVE-2026-8971 published via MFSA2026-46, fixed in Firefox 151 |
CREDITS
Surya Dev Singh – Payatu Security Consulting Pvt. Ltd.