Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.
The error is classified as CWE-284 (improper access control) and CWE-693 (protection mechanism bypassed or circumvented) indicating that the Messaging System component does not properly enforce sandbox isolation. A remote attacker, over the network, can send specially crafted data to the component responsible for internal communication in the browser/mail client and thereby execute code outside the sandbox environment, gaining access to operating system resources.
Successful exploitation of this vulnerability allows an attacker to completely compromise the confidentiality, integrity, and availability of the system — including remote code execution (RCE) with the privileges of the browser or mail client process outside the isolated sandbox. The scope of impact extends beyond the vulnerable component itself (CVSS Scope: Changed).
Immediately update Mozilla Firefox to version 147 or later and Mozilla Thunderbird to version 147 or later. Detailed information available in the vendor's security advisories: MFSA2026-01 and MFSA2026-04.
Mozilla Firefox in versions prior to 147 and Mozilla Thunderbird in versions prior to 147.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 147.0Mozilla Thunderbird
APPMozilla< 147.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...