CVE-2026-0889
Unknown Unknown - Not Provided
Denial-of-Service in Firefox Service Workers Before

Publication date: 2026-01-13

Last updated on: 2026-04-13

Assigner: Mozilla Corporation

Description
Denial-of-service in the DOM: Service Workers component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-14
NVD
CVE-2026-0889
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
mozilla firefox 144.0.2
mozilla firefox 146.0a1
mozilla firefox From 147 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-0889 is a denial-of-service vulnerability in Firefox versions before 147 related to the handling of Service Workers. When a web page registers a Service Worker with an excessively large script payload, exceeding internal size limits, Firefox crashes due to an assertion failure and null pointer dereference in its internal string handling. This happens because the script size is only validated after processing, leading to a browser crash instead of safely rejecting the script. The issue affects Windows 10/11 and Linux platforms and was fixed in Firefox 147 by adding preemptive script size validation. [1]

Impact Analysis

This vulnerability can cause Firefox browsers running versions before 147 to crash when visiting malicious web pages that register Service Workers with very large scripts. This results in a denial-of-service condition, disrupting user browsing experience and potentially causing loss of unsaved data or interruption of critical browser-based activities. [1]

Detection Guidance

This vulnerability can be detected by monitoring for crashes of Firefox versions prior to 147 when visiting web pages that register Service Workers with unusually large script payloads. Specifically, if Firefox crashes with assertion failures related to string length storage or segmentation faults in the Service Worker component, it may indicate exploitation attempts. Detection can involve analyzing browser crash logs for messages about 'nsTStringLengthStorage' assertion failures or null pointer dereferences. Additionally, network monitoring could look for HTTP requests serving extremely large Service Worker scripts or repeated registrations of Service Workers with randomized scopes and large payloads. There are no specific commands provided, but examining Firefox crash reports and network traffic for oversized Service Worker scripts is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to update Firefox to version 147 or later, where this vulnerability has been fixed. Until the update is applied, users should avoid visiting untrusted websites that might register Service Workers with very large scripts. Additionally, disabling Service Workers temporarily or using browser security settings/extensions to block or limit Service Worker registrations could reduce risk. Monitoring for browser crashes and applying security patches promptly is essential. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart