Sandbox escape due to incorrect boundary conditions in the Graphics: WebRender component. This vulnerability was fixed in Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8.
The vulnerability results from incorrect boundary conditions in the Graphics: WebRender component. Faulty boundary verification allows an attacker to break sandbox isolation, which normally restricts code executed in the context of the browser or mail client. The attack can be conducted remotely, without authentication and without user interaction, making it particularly dangerous.
An attacker can escape the sandbox environment and gain unauthorized access to the host operating system, potentially taking full control over the confidentiality, integrity, and availability of system resources.
Update to Firefox 148, Firefox ESR 115.33, Firefox ESR 140.8, Thunderbird 148, or Thunderbird 140.8, in which the vulnerability has been fixed. Detailed information available in Mozilla security advisories: mfsa2026-13, mfsa2026-14, mfsa2026-15, mfsa2026-16.
Mozilla Firefox in versions before 148 and Firefox ESR in versions before 115.33 and before 140.8; Mozilla Thunderbird in versions before 148 and before 140.8.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HMozilla Firefox
APPMozilla< 115.33.0< 148.0128.0 – 140.8.0 (bez)Mozilla Thunderbird
APPMozilla< 140.8.0< 148.0
Related vulnerabilities
Use-after-free w Animation timelines Firefox/Thunderbird — RCE
An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escap...
Insufficient vetting of parameters passed with the Prompt:Open IPC message between child and parent processes ...
Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, Thunderbird 3.1.6 before 3.1.6 and 3.0.x before...
Memory safety bugs present in Firefox 152.0.3. Some of these bugs showed evidence of memory corruption and we ...