CRITICAL🇵🇱 Wersja polska

CVE-2026-0881

CVSS 10.0v3.1pub. 2026-01-13upd. 2026-06-30

Sandbox escape in the Messaging System component. This vulnerability was fixed in Firefox 147 and Thunderbird 147.

🤖 AI Analysis
How it works

The error is classified as CWE-284 (improper access control) and CWE-693 (protection mechanism bypassed or circumvented) indicating that the Messaging System component does not properly enforce sandbox isolation. A remote attacker, over the network, can send specially crafted data to the component responsible for internal communication in the browser/mail client and thereby execute code outside the sandbox environment, gaining access to operating system resources.

Impact

Successful exploitation of this vulnerability allows an attacker to completely compromise the confidentiality, integrity, and availability of the system — including remote code execution (RCE) with the privileges of the browser or mail client process outside the isolated sandbox. The scope of impact extends beyond the vulnerable component itself (CVSS Scope: Changed).

Mitigation & patch

Immediately update Mozilla Firefox to version 147 or later and Mozilla Thunderbird to version 147 or later. Detailed information available in the vendor's security advisories: MFSA2026-01 and MFSA2026-04.

Who is affected

Mozilla Firefox in versions prior to 147 and Mozilla Thunderbird in versions prior to 147.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Mozilla Firefox

    APP
    Mozilla
    < 147.0
  • Mozilla Thunderbird

    APP
    Mozilla
    < 147.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-9680CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Use-after-free w Animation timelines Firefox/Thunderbird — RCE

CVE-2022-26486CRITICAL9.6⚠ KEVten sam produkt

An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...

CVE-2019-11708CRITICAL10.0⚠ KEVten sam produkt

Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...

CVE-2010-3765CRITICAL9.8⚠ KEVten sam produkt

Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...

CVE-2026-14241CRITICAL9.8ten sam produkt

Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...