Skip to main content

Firefox for iOS CVE-2026-9078

| EUVDEUVD-2026-31693 MEDIUM
User Interface (UI) Misrepresentation of Critical Information (CWE-451)
2026-05-25 mozilla GHSA-78h4-7j7j-4p28
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Jun 08, 2026 - 12:35 vuln.today
CVSS changed
May 26, 2026 - 21:22 NVD
5.4 (MEDIUM)
CVE Published
May 25, 2026 - 14:05 nvd
UNKNOWN (no severity yet)
CVE Published
May 25, 2026 - 14:05 nvd
MEDIUM 5.4

DescriptionCVE.org

Firefox for iOS displayed specially crafted right-to-left (RTL) and internationalized domain names (IDNs) incorrectly in link preview UI surfaces. A crafted RTL hostname could visually reorder portions of the displayed domain, causing attacker-controlled sites to appear as trusted origins. This vulnerability was fixed in Firefox for iOS 151.1.

AnalysisAI

Firefox for iOS misrepresents attacker-controlled domains as trusted origins through improper rendering of right-to-left Unicode characters and internationalized domain names (IDNs) in the link preview UI surface, enabling a spoofing/phishing attack against users on any iOS version prior to 151.1. The CVSS vector (PR:N/UI:R) indicates unauthenticated network-reachable exploitation contingent on user interaction with a crafted link. EPSS at the 5th percentile and SSVC exploitation status of 'none' confirm no active exploitation or public exploit code has been identified at time of analysis, positioning this as a targeted phishing risk rather than a broad automated threat.

Technical ContextAI

CWE-451 (UI Misrepresentation of Critical Information) identifies the root cause: the link preview rendering component in Firefox for iOS fails to neutralize bidirectional Unicode control characters (e.g., U+202E RIGHT-TO-LEFT OVERRIDE) and IDN homograph sequences before display. RTL overrides can visually reorder hostname labels so 'evil.com' renders as 'moc.live' or a recognizable brand name. IDN homograph attacks use visually identical Unicode characters (e.g., Cyrillic 'а' vs. Latin 'a') in registered domains to impersonate trusted origins. The affected CPE (cpe:2.3:a:mozilla:firefox_for_ios:*:*:*:*:*:*:*:*) covers all Firefox for iOS versions without an upper bound prior to the 151.1 fix, and the flaw is isolated to the iOS platform build - Firefox Desktop and Firefox for Android share different rendering paths and are not named in this advisory.

RemediationAI

Upgrade Firefox for iOS to version 151.1 or later, which contains the vendor-released patch per Mozilla security advisory mfsa2026-52 (https://www.mozilla.org/security/advisories/mfsa2026-52/). The update is distributed through the Apple App Store and should be applied as soon as it is available on the target device. If immediate upgrade is blocked by MDM policy or App Store restrictions, the primary compensating control is user awareness: instruct users to type trusted URLs directly into the address bar rather than relying on link preview UI for domain verification, as the address bar rendering is a separate code path. Blocking or restricting access to non-Latin IDN domains at the enterprise DNS or proxy layer can reduce IDN homograph exposure, though this may break legitimate internationalized sites and should be evaluated for operational impact. No network-level control can remediate this client-side rendering defect.

Share

CVE-2026-9078 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy