CVE-2026-0889
Denial-of-Service in Firefox Service Workers Before
Publication date: 2026-01-13
Last updated on: 2026-04-13
Assigner: Mozilla Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mozilla | firefox | 144.0.2 |
| mozilla | firefox | 146.0a1 |
| mozilla | firefox | From 147 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0889 is a denial-of-service vulnerability in Firefox versions before 147 related to the handling of Service Workers. When a web page registers a Service Worker with an excessively large script payload, exceeding internal size limits, Firefox crashes due to an assertion failure and null pointer dereference in its internal string handling. This happens because the script size is only validated after processing, leading to a browser crash instead of safely rejecting the script. The issue affects Windows 10/11 and Linux platforms and was fixed in Firefox 147 by adding preemptive script size validation. [1]
How can this vulnerability impact me? :
This vulnerability can cause Firefox browsers running versions before 147 to crash when visiting malicious web pages that register Service Workers with very large scripts. This results in a denial-of-service condition, disrupting user browsing experience and potentially causing loss of unsaved data or interruption of critical browser-based activities. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes of Firefox versions prior to 147 when visiting web pages that register Service Workers with unusually large script payloads. Specifically, if Firefox crashes with assertion failures related to string length storage or segmentation faults in the Service Worker component, it may indicate exploitation attempts. Detection can involve analyzing browser crash logs for messages about 'nsTStringLengthStorage' assertion failures or null pointer dereferences. Additionally, network monitoring could look for HTTP requests serving extremely large Service Worker scripts or repeated registrations of Service Workers with randomized scopes and large payloads. There are no specific commands provided, but examining Firefox crash reports and network traffic for oversized Service Worker scripts is recommended. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update Firefox to version 147 or later, where this vulnerability has been fixed. Until the update is applied, users should avoid visiting untrusted websites that might register Service Workers with very large scripts. Additionally, disabling Service Workers temporarily or using browser security settings/extensions to block or limit Service Worker registrations could reduce risk. Monitoring for browser crashes and applying security patches promptly is essential. [1]